Foreword xxvii Introduction xxxiii Part I Understanding IPsec VPNs Chapter 1 Introduction to IPsec VPNs 1 The Need and Purpose of IPsec VPNs 2 Building Blocks of IPsec 2 Security Protocols 2 Security Associations 3 Key Management Protocol 3 IPsec Security Services 3 Access Control 4 Anti-replay Services 4 Confidentiality 4 Connectionless Integrity 4 Data Origin Authentication 4 Traffic Flow Confidentiality 4 Components of IPsec 5 Security Parameter Index 5 Security Policy Database 5 Security Association Database 6 Peer Authorization Database 6 Lifetime 7 Cryptography Used in IPsec VPNs 7 Symmetric Cryptography 7 Asymmetric Cryptography 8 The Diffie-Hellman Exchange 8 Public Key Infrastructure 11 Public Key Cryptography 11 Certificate Authorities 12 Digital Certificates 12 Digital Signatures Used in IKEv2 12 Pre-Shared-Keys, or Shared Secret 13 Encryption and Authentication 14 IP Authentication Header 15 Anti-Replay 16 IP Encapsulating Security Payload (ESP) 17 Authentication 18 Encryption 18 Anti-Replay 18 Encapsulation Security Payload Datagram Format 18 Encapsulating Security Payload Version 3 19 Extended Sequence Numbers 19 Traffic Flow Confidentiality 20 Dummy Packets 20 Modes of IPsec 20 IPsec Transport Mode 20 IPsec Tunnel Mode 21 Summary 22 References 22 Part II Understanding IKEv2 Chapter 2 IKEv2: The Protocol 23 IKEv2 Overview 23 The IKEv2 Exchange 24 IKE_SA_INIT 25 Diffie-Hellman Key Exchange 26 Security Association Proposals 29 Security Parameter Index (SPI) 34 Nonce 35 Cookie Notification 36 Certificate Request 38 HTTP_CERT_LOOKUP_SUPPORTED 39 Key Material Generation 39 IKE_AUTH 42 Encrypted and Authenticated Payload 42 Encrypted Payload Structure 43 Identity 44 Authentication 45 Signature-Based Authentication 46 (Pre) Shared-Key-Based Authentication 47 EAP 48 Traffic Selectors 50 Initial Contact 52 CREATE_CHILD_SA 53 IPsec Security Association Creation 53 IPsec Security Association Rekey 54 IKEv2 Security Association Rekey 54 IKEv2 Packet Structure Overview 55 The INFORMATIONAL Exchange 56 Notification 56 Deleting Security Associations 57 Configuration Payload Exchange 58 Dead Peer Detection/Keepalive/NAT Keepalive 59 IKEv2 Request – Response 61 IKEv2 and Network Address Translation 61 NAT Detection 64 Additions to RFC 7296 65 RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65 RFC 5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) 65 RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) 65 RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) 66 Summary 66 References 66 Chapter 3 Comparison of IKEv1 and IKEv2 67 Brief History of IKEv1 67 Exchange Modes 69 IKEv1 70 IKEv2 71 Anti-Denial of Service 72 Lifetime 72 Authentication 73 High Availability 74 Traffic Selectors 74 Use of Identities 74 Network Address Translation 74 Configuration Payload 75 Mobility & Multi-homing 75 Matching on Identity 75 Reliability 77 Cryptographic Exchange Bloat 77 Combined Mode Ciphers 77 Continuous Channel Mode 77 Summary 77 References 78 Part III IPsec VPNs on Cisco IOS Chapter 4 IOS IPsec Implementation 79 Modes of Encapsulation 82 GRE Encapsulation 82 GRE over IPsec 83 IPsec Transport Mode with GRE over IPsec 83 IPsec Tunnel mode with GRE over IPsec 84 Traffic 85 Multicast Traffic 85 Non-IP Protocols 86 The Demise of Crypto Maps 86 Interface Types 87 Virtual Interfaces: VTI and GRE/IPsec 87 Traffic Selection by Routing 88 Static Tunnel Interfaces 90 Dynamic Tunnel Interfaces 91 sVTI and dVTI 92 Multipoint GRE 92 Tunnel Protection and Crypto Sockets 94 Implementation Modes 96 Dual Stack 96 Mixed Mode 96 Auto Tunnel Mode 99 VRF-Aware IPsec 99 VRF in Brief 99 VRF-Aware GRE and VRF-Aware IPsec 101 VRF-Aware GRE over IPsec 102 Summary 103 Reference 104 Part IV IKEv2 Implementation Chapter 5 IKEv2 Configuration 105 IKEv2 Configuration Overview 105 The Guiding Principle 106 Scope of IKEv2 Configuration 106 IKEv2 Configuration Constructs 106 IKEv2 Proposal 107 Configuring the IKEv2 Proposal 108 Configuring IKEv2 Encryption 111 Configuring IKEv2 Integrity 113 Configuring IKEv2 Diffie-Hellman 113 Configuring IKEv2 Pseudorandom Function 115 Default IKEv2 Proposal 115 IKEv2 Policy 117 Configuring an IKEv2 Policy 118 Configuring IKEv2 Proposals under IKEv2 Policy 119 Configuring Match Statements under IKEv2 Policy 120 Default IKEv2 Policy 121 IKEv2 Policy Selection on the Initiator 122 IKEv2 Policy Selection on Responder 124 IKEv2 Policy Configuration Examples 125 Per-peer IKEv2 Policy 125 IKEv2 Policy with Multiple Proposals 126 IKEv2 Keyring 128 Configuring IKEv2 Keyring 129 Configuring a Peer Block in Keyring 130 Key Lookup on Initiator 132 Key Lookup on Responder 133 IKEv2 Keyring Configuration Example 134 IKEv2 Keyring Key Points 136 IKEv2 Profile 136 IKEv2 Profile as Peer Authorization Database 137 Configuring IKEv2 Profile 138 Configuring Match Statements in IKEv2 Profile 139 Matching any Peer Identity 142 Defining the Scope of IKEv2 Profile 143 Defining the Local IKE Identity 143 Defining Local and Remote Authentication Methods 145 IKEv2 Dead Peer Detection 149 IKEv2 Initial Contact 151 IKEv2 SA Lifetime 151 NAT Keepalives 152 IVRF (inside VRF) 152 Virtual Template Interface 153 Disabling IKEv2 Profile 153 Displaying IKEv2 Profiles 153 IKEv2 Profile Selection on Initiator and Responder 154 IKEv2 Profile Key Points 154 IKEv2 Global Configuration 155 HTTP URL-based Certificate Lookup 156 IKEv2 Cookie Challenge 156 IKEv2 Call Admission Control 157 IKEv2 Window Size 158 Dead Peer Detection 158 NAT Keepalive 159 IKEv2 Diagnostics 159 PKI Configuration 159 Certificate Authority 160 Public-Private Key Pair 162 PKI Trustpoint 163 PKI Example 164 IPsec Configuration 166 IPsec Profile 167 IPsec Configuration Example 168 Smart Defaults 168 Summary 169 Chapter 6 Advanced IKEv2 Features 171 Introduction to IKEv2 Fragmentation 171 IP Fragmentation Overview 172 IKEv2 and Fragmentation 173 IKEv2 SGT Capability Negotiation 178 IKEv2 Session Authentication 181 IKEv2 Session Deletion on Certificate Revocation 182 IKEv2 Session Deletion on Certificate Expiry 184 IKEv2 Session Lifetime 185 Summary 187 References 188 Chapter 7 IKEv2 Deployments 189 Pre-shared-key Authentication with Smart Defaults 189 Elliptic Curve Digital Signature Algorithm Authentication 194 RSA Authentication Using HTTP URL Lookup 200 IKEv2 Cookie Challenge and Call Admission Control 207 Summary 210 Part V FlexVPN Chapter 8 Introduction to FlexVPN 211 FlexVPN Overview 211 The Rationale 212 FlexVPN Value Proposition 213 FlexVPN Building Blocks 213 IKEv2 213 Cisco IOS Point-to-Point Tunnel Interfaces 214 Configuring Static P2P Tunnel Interfaces 214 Configuring Virtual-Template Interfaces 216 Auto-Detection of Tunnel Encapsulation and Transport 219 Benefits of Per-Peer P2P Tunnel Interfaces 221 Cisco IOS AAA Infrastructure 221 Configuring AAA for FlexVPN 222 IKEv2 Name Mangler 223 Configuring IKEv2 Name Mangler 224 Extracting Name from FQDN Identity 225 Extracting Name from Email Identity 226 Extracting Name from DN Identity 226 Extracting Name from EAP Identity 227 IKEv2 Authorization Policy 228 Default IKEv2 Authorization Policy 229 FlexVPN Authorization 231 Configuring FlexVPN Authorization 233 FlexVPN User Authorization 235 FlexVPN User Authorization, Using an External AAA Server 235 FlexVPN Group Authorization 237 FlexVPN Group Authorization, Using a Local AAA Database 238 FlexVPN Group Authorization, Using an External AAA Server 239 FlexVPN Implicit Authorization 242 FlexVPN Implicit Authorization Example 243 FlexVPN Authorization Types: Co-existence and Precedence 245 User Authorization Taking Higher Precedence 247 Group Authorization Taking Higher Precedence 249 FlexVPN Configuration Exchange 250 Enabling Configuration Exchange 250 FlexVPN Usage of Configuration Payloads 251 Configuration Attributes and Authorization 253 Configuration Exchange Examples 259 FlexVPN Routing 264 Learning Remote Subnets Locally 265 Learning Remote Subnets from Peer 266 Summary 268 Chapter 9 FlexVPN Server 269 Sequence of Events 270 EAP Authentication 271 EAP Methods 272 EAP Message Flow 273 EAP Identity 273 EAP Timeout 275 EAP Authentication Steps 275 Configuring EAP 277 EAP Configuration Example 278 AAA-based Pre-shared Keys 283 Configuring AAA-based Pre-Shared Keys 284 RADIUS Attributes for AAA-Based Pre-Shared Keys 285 AAA-Based Pre-Shared Keys Example 285 Accounting 287 Per-Session Interface 290 Deriving Virtual-Access Configuration from a Virtual Template 291 Deriving Virtual-Access Configuration from AAA Authorization 293 The interface-config AAA Attribute 293 Deriving Virtual-Access Configuration from an Incoming Session 294 Virtual-Access Cloning Example 295 Auto Detection of Tunnel Transport and Encapsulation 297 RADIUS Packet of Disconnect 299 Configuring RADIUS Packet of Disconnect 300 RADIUS Packet of Disconnect Example 301 RADIUS Change of Authorization (CoA) 303 Configuring RADIUS CoA 304 RADIUS CoA Examples 305 Updating Session QoS Policy, Using CoA 305 Updating the Session ACL, Using CoA 307 IKEv2 Auto-Reconnect 309 Auto-Reconnect Configuration Attributes 310 Smart DPD 311 Configuring IKEv2 Auto-Reconnect 313 User Authentication, Using AnyConnect-EAP 315 AnyConnect-EAP 315 AnyConnect-EAP XML Messages for User Authentication 316 Configuring User Authentication, Using AnyConnect-EAP 318 AnyConnect Configuration for Aggregate Authentication 320 Dual-factor Authentication, Using AnyConnect-EAP 320 AnyConnect-EAP XML Messages for dual-factor authentication 322 Configuring Dual-factor Authentication, Using AnyConnect-EAP 324 RADIUS Attributes Supported by the FlexVPN Server 325 Remote Access Clients Supported by FlexVPN Server 329 FlexVPN Remote Access Client 329 Microsoft Windows7 IKEv2 Client 329 Cisco IKEv2 AnyConnect Client 330 Summary 330 Reference 330 Chapter 10 FlexVPN Client 331 Introduction 331 FlexVPN Client Overview 332 FlexVPN Client Building Blocks 333 IKEv2 Configuration Exchange 334 Static Point-to-Point Tunnel Interface 334 FlexVPN Client Profile 334 Object Tracking 334 NAT 335 FlexVPN Client Features 335 Dual Stack Support 335 EAP Authentication 335 Dynamic Routing 335 Support for EzVPN Client and Network Extension Modes 336

Understand the IKEv2 protocol, and learn to configure it in Cisco FlexVPN environments Learn how IKEv2 improves on and fits with previous IPSec VPN and PKI technologiesContains design scenarios directly relevant to typical enterprise IPSec VPN requirementsIncludes detailed configuration examples you can practice in your networking labPresents practical migration scenarios for transitioning from IKEv1 legacy solutionsWill be useful to anyone who wants to implement IKEv2, regardless of solution or vendor