Network Access for Remote Users: Practical

IPSecDr John S. Graham

ULCCjohng@nosc.ja.net

Summary of Installations

• Remote Site– Guildhall School of Music and Drama– Southgate and Capel Manor Colleges

• Remote Users– Conservatoire of Dance and Drama

Crypto Route Map

• Crypto map– Static or Dynamic

• IKE Policy• Additional Optional Steps

– User authentication– Peer configuration

• Integrate with overall router config

IKE Policies

• Algorithms to be offered• Authentication method

– Pre-shared key– X.509 certificates– RSA encrypted nonces

• Diffie-Hellman Group

GSMD Physical Installation

Remote Site Main Campus

GSMD: Equipment at Remote Site

• ‘Wires Only’ ADSL Connection– One Static IP Address

• Splitter• Cisco 827H Router

– Ethernet hub (4 ports) plus ATM port

Static Crypto Components

• Create Crypto Map– Define trigger (ACL)– Peer Identity (IP address or FQDN)– Define transform

• Mode (tunnel or transport)• List of algorithms that will be offered to peer

– Lifetime of SA

• Bind crypto map to external interface

Authentication of Known Peers

• One-to-one mappings between:– Peer IP addresses– Shared secret (unique to each peer)

• IKE Phase I Main Mode exchanges:1. Negotiate IKE SA and exchange cookies2. Diffie-Hellman public values and

pseudo-random nonces3. Peers identify themselves and

exchange authenticating hash

IKE Main Mode

Hdr, SA Proposals

Hdr, Chosen Proposal

Hdr, KE, Nonce

Hdr, KE, Nonce

Hdr, IDii, Hash_I

Hdr, IDir, Hash_R

IKE SA Established

Initiator Responder

Coexistence of NAT and IPSec

• IPSec Precedes NAT– AH fails because source and/or

destination addresses have changed– Transport-mode ESP invalidates TCP

checksums– Invalidates IKE authentication exchange

• NAT Precedes IPSec– Crypto triggers do not fire when

expected

Dynamic NAT vs Crypto

A1

A2

B1

B2

B3

Dialer

ACL

Ethernet

NAT

IPSec Tunnel

Crypto

Southgate and Capel Manor

• Shared student records database at Southgate

• Database queries & updates over high-speed WAN with crypto.

• Back-up interface using ISDN

Integrating Crypto and Routing

1. Create GRE tunnel interface

2. Routing protocol receives updates over T1 & T2

3. Bind crypto map to T1 and T2

4. Watch out for double fragmentations!

Fragmentation Hell

CDD and Physical Installation

CDD: Logical Installation

• Remote peer IP not known– Dynamic crypto– IKE Phase 1 uses aggressive mode

• Insecure shared secret– IKE extended authentication (XAuth)

• Central control of remote peer’s config– IPSec Mode-configuration (MODECFG)

Authentication of Unknown Peers

• Pre-shared secret not indexed by IP address

• IKE Phase I Aggressive Mode Exchange

• Supplementary authentication of user credentials

IKE Aggressive Mode

Hdr, SA, KE, Nonce, IDii

Hdr, SA, KE, Nonce, IDir, Hash_R

Hdr, Hash_I

IKE SA Established

Initiator Responder

CDD: IKE XAuth• Router PC

– ISAKMP_CFG_REQUEST

• PC Router– ISAKMP_CFG_REPLY

• Router PC– ISAKMP_CFG_SET

• PC Router– ISAKMP_CFG_ACK

CDD: Mode Configuration

Remote station configured by router with:

• a private IP address and mask• a list of local prefixes that will be

tunnelled• a list of local domains and their

associated resolvers

Selective Static NATip nat inside source static 10.0.0.5 212.219.240.225 route-map

selective-nat

!

access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255

!

route-map selective-nat permit 10

match ip address 100

Windows Gotchas

• Domain Logons Over Tunnel– Kerberos not tunnelled

• Shared secret not supported– Registry hack