Wednesday, November 6, 2019

IKEv2 IPSEC VPN

What is the IKEv2?
IKE stands for Internet Key exchange, it is the version 2 of the IKE and it has been created to provide a better solution than IKEv1 in setting up security association (SA) in IPSEC.

Why the IKEv2?
  • More secure and support for EAP
  • Support for new protocols like  (AES-CBC—Advanced Encryption Standard-Cipher Block Chaining)
  • Built-in Support for Dead Peer detection
  • Support for NAT-T
  • ability to address some of Denial of service attack problems that was in IKEv1.
  • Multiple crypto engines (IPv4 and IPv6).
  • Sequencing and acknowledgments to provide reliable connectivity

one of the vulnerabilities of IKEv1 is found on multiple vendors devices that can be exploited and allow attackers to bypass authentication.
for example vulnerability to Bleichenbacher oracle attacks more information here:  https://robotattack.org/
other issues like vulnerability to brute force attack if preshared authentication used with weak password

How the IKEv2 configured?

  1. Proposal: which will be used to configure the (encryption & integrity & group)
Example:
#crypto ikev2 proposal cisco
#encryption aes-cbc-256  (CBC stands for cipher block chaining)
#integrity sha256
#group 19


  1. Policy: will configure the name of the proposal that we configured above
Example:
#crypto ikev2 policy cisco
#proposal cisco
  1. Keyring: configure the key will be exchanged to establish phase1 and the type which is in our example (pre-shared)
Example:
#crypto ikev2 keyring cisco
#peer R3
#address 10.0.0.2
#pre-shared-key cisco1234


  1. IPSEC profile: this is phase2, we will create the transform set in here.
NOTE: you can also create a crypto map which is the legacy way, while IPSEC profile is the newer way.

In crypto map we can set
  1. peer ip address and transform set and
  2. the (PFS group) which stands for (precisely diffie-hellman) group
  3. Ikev2 profile we configured at the beginning
  4. Also match the ip address from the extended ACL we configured
Note: crypto map type must be IPSEC-ISAKMP
===============================================

Note: you can use IKEv2 for Remote Access VPN as well but it will need to work with remote authentication server (RADIUS) when you configure on Cisco ASA and it will not allow you to create users locally.
check below image:
but you might be able to do a workaround if you edit the group policy after you finish the configuration like below:

How to verify?
attaching EVE lab for this.




Samer R. Saleem
- No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)

Automating Network Configurations with Jinja2 and Python: A Step-by-Step Guide

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...