Cisco PIX VPN Configuration

Cisco VPN Configuration

PPTP VPN

  • You'll want to give the PIX a local pool before pasting the PPTP Configuration section:
ip local pool VPN_POOL 10.0.0.200-10.0.0.230

That will allot anyone connecting to the VPN an IP address in the range 10.0.0.200-10.0.0.230

  • These lines are also important so that when connected you can talk to hosts behind the firewall the second IP should reflect that of the peer host's network:
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl

 

  • A PPTP VPN configuration section will look like the following:
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local VPN_POOL
vpdn group PPTP-VPDN-GROUP client configuration dns 216.234.234.30 12.96.160.115
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username VPN_User01 password xxxxxx
vpdn enable outside

 

Adding Users to the PPTP VPN

Adding existing users to VPN configuration is very simple when done through the PDM, however might even be easier when done through shell.

  • To add a new user just add the folling line:
vpdn username VPN_User02 password p4ssw0rd

IPSEC VPN

For VPNs consisting of Two Pix endpoints

IPsec negotiation can be broken down into five steps, including two Internet Key Exchange (IKE) phases.

  • An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPsec peers.
  • In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).
  • In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.
  • The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.
  • The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

Note: IPsec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Image:pixdiag.gif

  • Configure IKE for Preshared Keys

Issue the isakmp enable command to enable IKE on the IPsec terminating interfaces. In this scenario, the outside interface is the IPsec terminating interface on both PIXs. IKE is configured on both PIXs. These commands only show PIX(The Planet).

   isakmp enable outside 

You also need to define the IKE policies that are used during the IKE negotiations. Issue the isakmp policy command in order to do this. When you issue this command, you must assign a priority level so that the policies are uniquely identified. In this case, the highest priority of 1 is assigned to the policy. The policy is also set to use a preshared key, an MD5 hashing algorithm for data authentication, a DES for Encapsulating Security Payload (ESP), and a Diffie-Hellman group1. The policy is also set to use the SA lifetime.

   isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

The IKE configuration can be verified with the show isakmp policy command:

   PIX(The Planet#show isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 1000 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

Now configure the preshared key and assign a peer address by issuing the isakmp key command. The same preshared key must match on the IPsec peers when using preshared keys. The address differs, depending on the IP address of the remote peer.

   isakmp key ********** address 209.57.87.200 netmask 255.255.255.255 
PIX(The Planet)#

The policy can be verified with the show isakmp command:

   PIX(The Planet)#show isakmp
isakmp enable outside
isakmp key ********** address 209.57.87.200 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Configuring IPSEC

IPsec is initiated when one of the PIXs receives traffic that is destined for the other PIX inside network. This traffic is deemed interesting traffic that needs to be protected by IPsec. An access list is used to determine which traffic initiates the IKE and IPsec negotiations. This access list permits traffic to be sent from the 10.1.1.x network, via the IPsec tunnel, to the 172.16.1.x network. The access list on the opposite PIX configuration mirrors this access list. This is appropriate for Maui-PIX-01.

   access-list 101 permit ip 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255.0 

The IPsec transform set defines the security policy that the peers use to protect the data flow. The IPsec transform is defined by using the crypto ipsec transform-set command. A unique name must be chosen for the transform set and up to three transforms can be selected to define the IPsec security protocols. This configuration only uses two transforms: esp-hmac-md5 and esp-des.

   crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

Crypto maps set up IPsec SAs for the encrypted traffic. You must assign a map name and a sequence number to create a crypto map. Then you define the crypto map parameters. The crypto map transam displayed uses IKE to establish IPsec SAs, encrypts anything that matches access-list 101, has a set peer, and uses the chevelle transform-set to enact its security policy for traffic.

   crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 209.57.87.200
crypto map transam 1 set transform-set ESP-DES-MD5

After you define the crypto map, apply the crypto map to an interface. The interface you choose must be the IPsec terminating interface.

   crypto map transam interface outside

Issue the show crypto map command to verify the crypto map attributes.

   PIX(The Planet)#show crypto map

Crypto Map: "transam" interfaces: { outside }

Crypto Map "transam" 1 ipsec-isakmp
Peer = 209.57.87.200
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255
Current peer: 209.57.87.200
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ ESP-DES-MD5, }

Configuring NAT

This command tells the PIX not to NAT any traffic deemed as interesting for IPsec. Thus, all traffic that matches the access-list command statements is exempt from the NAT services.

   access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 
10.10.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl

Because all inbound sessions must be explicitly permitted by an access list or a conduit, the sysopt connection permit-ipsec command is used to permit all inbound IPsec authenticated cipher sessions. With IPsec protected traffic, the secondary conduit check can be redundant and cause the tunnel creation to fail. The sysopt command tunes various PIX firewall security and configuration features.

   sysopt connection permit-ipsec

 

  • This is for IPSec connections from the VPN Client:
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 209.57.87.200
crypto map transam 1 set transform-set ESP-DES-MD5
crypto map transam interface outside
isakmp enable outside
isakmp identity address
isakmp key ********** address 209.57.87.200 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Adding Users to the IPSEC VPN

  • To add a user to this config, use the following line:
vpngroup VPN_User01 address-pool vpnclient
vpngroup VPN_User01 idle-time 1800
vpngroup VPN_User01 password p4ssw0rd

 

Verify Connection Status

  • Show crypto ipsec sa This command displays the current status of the IPsec SAs and is useful in determining if traffic is being encrypted.
  • show crypto isakmp sa This command shows the current state of the IKE SAs.

 

Troubleshooting the VPN

Note: The clear commands must be performed in configuration mode.

  • clear crypto ipsec sa This command resets the IPsec SAs after failed attempts to negotiate a VPN tunnel.
  • clear crypto isakmp sa This command resets the ISAKMP SAs after failed attempts to negotiate a VPN tunnel.

Note: Refer to Important Information on Debug Commands before you issue debug commands.

  • debug crypto ipsec This command shows if a client is negotiating the IPsec portion of the VPN connection.
  • debug crypto isakmp This command shows if the peers are negotiating the ISAKMP portion of the VPN connection.
  • debug crypto engine Displays the traffic that is encrypted.

After the connection is complete, it can be verified using the show commands.