SSLVPN on an ASA

Here we go, the last piece of the VPN puzzle.

How do we configure an SSLVPN on a Cisco ASA.

We're going to do this all from the CLI but it is extremely easy to do via the ASDM wizard.

I've simply configured a Windows 7 box to point directly at the inside interface of the ASA, and allow a VPN to be configured there.
For reference, the inside interface IP is 10.0.0.1 and the Windows 7 box is 10.0.0.20.

Lets lay out a few requirements:

- Users will connect to https://10.0.0.1/Test to sign into the VPN
- We will use a self signed certificate generated on the ASA
- Users will be authenticated against a local database
- Once connected, users will only be able to access https://10.0.0.15

We're starting with a totally clean ASA so first up we need to configure the interface:

ciscoasa(config)# int g0
ciscoasa(config-if)# ip address 10.0.0.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no shut

Now lets lay out the steps required for a VPN to work:

- Generate rsa keys
- create a self signed certificate
- enable webvpn
- create a pool of addresses for the VPN
- create a default group policy
- create a specific group policy
- bypass the interface ACLs
- ensure the VPN traffic is not NATed
- create a tunnel group
- configure user accounts

It looks like a lot, but it's actually quite simple, lets get cracking:

Create keys and certificate:

ciscoasa(config)# crypto key generate rsa label sslvpnkey
INFO: The name for the keys will be: sslvpnkey
Keypair generation process begin. Please wait...
ciscoasa(config)# crypto ca trustpoint localtrust
ciscoasa(config-ca-trustpoint)# enrollment self
ciscoasa(config-ca-trustpoint)# fqdn sslvpn.test.com
ciscoasa(config-ca-trustpoint)# subject-name CN=sslvpn.test.com
ciscoasa(config-ca-trustpoint)# keypair sslvpnkey
ciscoasa(config-ca-trustpoint)# crypto ca enroll localtrust noconfirm

% The fully-qualified domain name in the certificate will be: sslvpn.test.com
ciscoasa(config)# ssl trust-point localtrust inside

The last line is important here, typically we would use the outside interface of the ASA as the whole point of the VPN is terminate traffic from the Internet, but in this case I've just used the inside interface.

Enable webvpn

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# enable inside
ciscoasa(config-webvpn)# svc enable

Create an address pool for the VPN users:

ciscoasa(config)# ip local pool VPN 10.0.1.1-10.0.1.100 mask 255.255.255.0

Create a default group policy and specific group policy

The default policy is one that will apply to all users and is typically where would configure name servers and other global attributes.  The specific policy can apply to groups of users, for instance you might have one for IT employees and a different one for sales employees.

ciscoasa(config-webvpn)# group-policy DfltGrpPolicy attributes
ciscoasa(config-group-policy)# dns-server value 10.0.0.2
ciscoasa(config-group-policy)# wins-server value 10.0.0.3
ciscoasa(config-group-policy)# vpn-tunnel-protocol svc webvpn
ciscoasa(config-group-policy)# address-pools value VPN

ciscoasa(config)# group-policy IT internal
ciscoasa(config)# group-policy IT attributes
ciscoasa(config-group-policy)# banner value IT Remote Access
ciscoasa(config-group-policy)# vpn-tunnel-protocol webvpn
ciscoasa(config-group-policy)# webvpn

Here we would configure specific rules for IT users, such as what URLs are accessible, but we'll just leave it as default for now.

Configure ACL bypass:

ciscoasa(config)# sysopt connection permit-vpn

NAT exemption:

ciscoasa(config)# access-list no_nat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list no_nat

Create a tunnel group:

ciscoasa(config)# tunnel-group ITSSL type remote-access
ciscoasa(config)# tunnel
ciscoasa(config)# tunnel-group ITSSL webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias IT enable
ciscoasa(config-tunnel-webvpn)# group-url https://10.0.0.1/Test enable

Create user accounts:

ciscoasa(config)# username bob password testpass
ciscoasa(config)# username bob attributes
ciscoasa(config-username)# service-type remote-access

And that's it, we should now have a connection working, lets test it out:

IPsec

Configuring IPsec

There are four key outcomes from using IPsec which will secure our data:
•    Confidentiality
•    Data integrity
•    Authentication
•    Antireplay

Let’s run through the process a device will go through to set up an IPsec connection to a peer:

1.    IKE Phase 1

The first step involved in a tunnel will be to negotiate the Internet Key Exchange phase 1 tunnel.  There are two modes for this, Main Mode which uses a six packet exchange and Aggressive mode which uses a three packet exchange.  Main mode is considered more secure and is the default mode.  This tunnel is only used for management of the tunnel and no user data is forwarded over it.  There are five items which must be in agreement between the two endpoints before a tunnel can be set up.
•    Hash algorithm
•    Encryption algorithm
•    Diffie-Hellman group
•    Authentication method
•    Lifetime
The lifetime is the only one which doesn’t have to match exactly, as the lower of the two (if they differ) will be used for the tunnel.

2.    Diffie-Hellman key exchange

Once the phase 1 policy is agreed, using the group that has been agreed to in phase 1, a symmetrical key is generated which both ends will use to encrypt the data.

3.    Authenticate the peer

This is the last piece of phase 1 and whichever method agreed to in the phase 1 policy will be used, the options are RSA signatures or pre-shared keys.  Once this is in place we now have a phase 1 tunnel.

Now that we have a management tunnel in place, the two devices must now create a second tunnel that will be used for the actual data.  The devices can use this phase 1 tunnel to negotiate and create the phase 2 tunnel.  This tunnel will use the hashing and encryption algorithms specified in the device configuration, which means that when we are configuring a VPN, we specify the hashing and encryption algorithms for phase 1 and phase 2.

Once we the phase 2 tunnel built then the devices will encrypt the traffic.  Any packet capture between the devices will just look like an encrypted stream of traffic between the two peers.

Let’s build our own VPN connection now to put in place what we have learnt.

I’m using a very simplified topology of two IOS routers directly connected to each other, that direct connection is simulating the Internet.  On each router I have a loopback interface which is simulating an internal network behind the router, and we will configure our VPN to encrypt all traffic between the two networks.

Remembering what we need to configure to get the connection working, this is what we will use for Phase 1:
•    Hash – SHA.  This is generally considered more secure than MD5
•    Authentication – Pre-shared key
•    Group – Diffie-Hellman group, we will use group 5
•    Lifetime – we will use 3600
•    Encryption – AES 256
For phase 2 we will use SHA and AES256 again.

Let’s put that in place on R1:

R1(config)#crypto isakmp policy 5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit
R1(config)#crypto isakmp key secretkey address 10.0.0.2
R1(config)#access-list 100 permit ip 172.16.31.0 0.0.0.255 192.168.0.0 0.0.0.255
R1(config)#crypto ipsec transform-set TESTSET esp-sha-hmac esp-aes 256
R1(cfg-crypto-trans)#mode tunnel
R1(config)#crypto map TESTCMAP 1 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set TESTSET
R1(config-crypto-map)#set peer 10.0.0.2
R1(config-crypto-map)#exit
R1(config)#int fa0/0
R1(config-if)#crypto map TESTCMAP


This looks like quite a bit of config, but let’s quickly run through it.  First we establish an ISAKMP polic (phase 1).  We can have multiple policies on each device, and as long as one of them matches then a tunnel can be formed.  We apply our chosen configuration within the phase 1 policy.  Second we define a pre-shared key to use with a remote router and assign it the address of the other end.  Now we create an access-list which will contain all of the traffic which we will want to be encrypted and sent across the tunnel.  Phase 2 is created next and we assign it the chosen configuration, similar to phase 1 except it’s all done in one line.  We set it to tunnel mode which means that the router will take any traffic matching the access-list and encrypt them inside an IPsec packet.  Transport mode is the other option but that is only for traffic between the devices.  Create a crypto map and then apply it to an interface, which causes the router to automatically capure traffic matching the ACL specified in the crypto map and apply the chosen configuration to it, in this cause use the VPN tunnel.
Now let’s apply the same but inverse configuration to R2 and bring up a tunnel.

R1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1001  10.0.0.1        10.0.0.2                 ACTIVE aes  sha  psk  5  00:47:12
       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA


R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: TESTCMAP, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.31.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 10.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 10, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xA6EC9D4E(2800524622)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xC7236551(3340985681)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: TESTCMAP
        sa timing: remaining key lifetime (k/sec): (4571197/3545)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA6EC9D4E(2800524622)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: TESTCMAP
        sa timing: remaining key lifetime (k/sec): (4571197/3545)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


R1#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   AES256+SHA                0        4        4 10.0.0.1
    2  IPsec   AES256+SHA                4        0        0 10.0.0.1
 1001  IKE     SHA+AES256                0        0        0 10.0.0.1

 Note you'll see a few send errors in the phase 2, this is because I initally forgot to attach the transform set on R2 to the crypto map and the VPN failed to come up.

Public Key Infrastructure

We cannot properly understand and implement secure technologies without understanding the principles behind them.  So to continue I this vain we’ll take a deeper look into the principles of public and private keys, and how we use them in our security.

There are a number of different protocols in use today to generate key-pairs:

•    RSA – primarily used for authentication
•    DH – Whilst the algorithm is asymmetric, it generates symmetric keys, and we typically use this in conjunction with 3DES and AES.
•    ElGamal – used with DH
•    DSA – Digital Signature Algorithm
•    ECC – Elliptical Curve Cryptography

Public Keys in use

Both parties who want to communicate will have a public and private key pair.  They are both enrolled with a Certificate Authority (CA), which used the public keys of both and created their digital certificates.  To communicate, we now send our digital certificate to the other party.  The receiving party will verify that the certificate was issued by a trusted CA.  Now that both parties have each other’s public keys, they can communicate securely. 

Certificate Authorities

We briefly mentioned Certificate Authorities (CA) above, so let’s talk a bit more about the role they play for us.  They are an entity which has the ability to create and issue digital certificates.  These certificates include the Fully Qualified Domain Name (FQDN) of the device along with its IP address and public key, and also contain validity dates to ensure that the certificate has no expired.  Most web browsers come with a list of CAs which are trusted, thus relieving us of the problem of being able to verify the identity of these CAs
A root certificate is the certificate associated with the CA and contains the CAs public key.  An identity certificate is similar, but it describes a client and contains that client’s public key.

Digital certificates will contain either all or most of the following:
•    Serial number of the certificate
•    Subject
•    Signature algorithm
•    Signature
•    Issuer
•    Valid from
•    Valid to
•    Key usage
•    Public key
•    Thumbprint algorithm
•    Thumbprint
•    Certificate revocation list location

Public Key Standards

•    PKCS 1 – RSA
•    PKCS 3 – Diffie-Hellman
•    PKCS 7 – format of a response to a PKCS 10 request
•    PKCS 10 – format of a certificate request sent to a CA.
•    PKCS 12 – format for storing public and private keys using a symmetric password

Implementing PKI

Single Root CA

A typical solution for a small environment is to have one single CA server handling all requests; however there is no fault tolerance in this case.

Hierarchical CA with Subordinate CAs

Here we have a root CA which delegates the authority to subordinate CAs to create and assign identity certificates. 

Cross-certifying CAs

In this situation we have multiple CAs acting at the same level.  Clients of either CA will trust the signatures of the other CA.

Configuring certificates on an ASA:

ciscoasa(config)# crypto key generate rsa label TestPair modulus 2048 noconfirm
INFO: The name for the keys will be: TestPair
Keypair generation process begin. Please wait...

ciscoasa(config)# crypto ca trustpoint TestCA
ciscoasa(config-ca-trustpoint)# keypair TestPair
ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec
ciscoasa(config-ca-trustpoint)# no fqdn
ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa
ciscoasa(config-ca-trustpoint)# enrollment url http://192.168.1.1
ciscoasa(config-ca-trustpoint)# exit
ciscoasa(config)# crypto ca authenticate TestCA nointeractive
ciscoasa(config)# crypto ca enroll TestCA noconfirm

VPNs and cryptography

Virtual Private Network (VPN)

A VPN is a method of creating a local network between two devices which are not local to each other.  For instance we might have a device in Auckland and a device in London, with a VPN, we can configure a connection so it’s as if they are on the same LAN.  VPNs came around because the cost of a dedicated line between sites is much higher than implementing a VPN over the Internet. 

Types of VPN

•    IPsec – typically used for site-to-site connections, but can be used for remote-access as well, it implements security at layer 3
•    SSL – security at layer 4, typically used for remote-access VPNs
•    MPLS – provided by a service provider to connect multiple sites that a company as.  No encryption by default but IPsec can be added on top

Benefits of a VPN

The benefits of a VPN hark back to the beginning of this blog where we talked about the key ingredients for data security:
•    Confidentiality
•    Integrity
•    Authentication

Cryptography basics

A cipher is an algorithm that basically lays out how to change a piece of data which we want to keep secret, into an unintelligible piece of data, and then return that data back to what we want, when we want it.

Substitution – Substituting one character for another. 
Polyalphabetic – Using multiple alphabets and switching between them to introduce more complexity
Transposition – Use many different options including the rearrangement of letters.

A key is instructions for how to reassemble the characters back into the correct data. 

A block cipher is a symmetric key that operates on chunks of data called blocks.  Many of the well-known encryption algorithms are symmetric block ciphers.

A stream cipher is also a symmetric key cipher where it is encrypted one bit at a time.

We’ve just briefly mentioned the concept of symmetric and asymmetric keys here, so let’s explore what we mean when we talk about those.

A symmetric algorithm means that exactly the same key is used to encrypt and decrypt the data.  Obviously this means that keeping the key secret is of the utmost importance, because anyone with the key can decrypt it.  This process is used for most of the data we encrypt today simply because it uses much less overhead than asymmetric encryption. 

An asymmetric algorithm is the opposite of this.  When we encrypt the data with one key, we need a different key to decrypt it.  Once it’s encrypted, it’s impossible to decrypt with that same key.  When we implement this, we use the concept of public and private keys.  If someone wants to send us some data, we will give them our public key and they will encrypt the data using this key.  Then when we receive the data, it can only be decrypted with our private key which we have kept secret.

Continuing with our key terms to understand is the concept of hashing.  This is a method used to verify data integrity.  What happens is that we use a process to create a small size value which is associated with that data.  It is only possible to generate that value if the data is exactly the same, so when a hash is set along with the data, we can calculate the hash ourselves, and if they match then we can be confident that the data has not been modified.  The most common algorithms in place are MD5, SHA-1 and SHA-2.  However this does not stop a malicious person manipulating both the data and the hash.

We can use the Hashed Message Authentication Code (HMAC) to calculate the hash and use a secret key to ensure it cannot be modified by unknown people.  This makes it impossible to recalculate a hash without the receiver knowing.

Digital Signatures use a combination of all of these methods to verify that something comes from exactly who it says it comes from.  The process follows like this:  We create a hash of the packet which we are transmitting, and then we encrypt that hash with our private key.  This encrypted hash is called a digital signature and is sent along with the data.  The receiver can then decrypt the hash using our public key and compare it to the hash which they generate themselves.  If the two hashes match then the receiver can be sure that both the data is untouched and that it comes from the correct person.

IPsec

We’ll go into IPsec in more detail later but here are some key things to know:

•    ESP and AH – these are the two protocols we can use to implement IPsec.  ESP is much more frequently used than AH.
•    Encryption algorithms – DES, 3DES, AES
•    Hashing algorithms – MD5, SHA
•    Authentication algorithms – Pre-shared keys, RSA digital signatures
•    Key management – Diffie-Hellman (DH) ca be used to dynamically generate symmetrical keys.  Internet Key Exchange (IKE) does most of the key negotiation.

SSL

Secure Sockets Layer is the protocol we use when we connect to a web server over https instead of http.  When we connect to https, the browser requests that the server identifies itself using its digital certificate.  The browser verifies the certificate using the digital signature attached.