Wow, i’d so much fun yesterday. I’d set out to learn certain hard-aspects of VPN configuration. The difficult concepts that i wanted to learn were :

IOS

• EZVPN using ACS for Group Authorization and XAUTH
• EZVPN using ACS for Group-lock features
• EZVPN using PKI for per-user AAA
• Anyconnect VPN

ASA

• EZVPN using ACS for Group Authorization and XAUTH
• EZVPN using ACS for Group-lock features
• EZVPN using PKI for per-user AAA
• Anyconnect VPN

Unfortunately, because these were hard topics i took more time than expected and i could only complete 2 of the tasks under the IOS section. I tried doing the EZVPN using PKI lab scenario but i kept facing an error when i tried to enroll the Cisco VPN client to the CA. I’ll get this resolved and post my config soon!

TOPOLOGY

Setting up basic EZVPN between TEST and R1 was pretty straightforward . The parameters that i used were :

Encryption : 3DES

Hash : MD5

Group : 2

Authentication : PSK

Address-pool : 20.0.0.1 – 20.0.0.254

Split ACL -> Tunnel traffic to subnet 136.1.120.0/24.

Firstly, what i did was i established an EZVPN tunnel using “LOCAL” Group authentication and XAUTH. Later i added on local “group-locking”. Till yesterday, this feature was always a source of confusion and luckily i figured it out yesterday. So here’s something i wrote. I hope this helps.

Here’s the simple concept . I’ll explain it using an example

• Let’s assume that you have 2 GROUPS that the users VPN’ing in can connect to . Namely, VPN_USERS_1 and VPN_USERS_2
• Let’s also assume that you have 2 users. tacack and tacack_2. Both with a password of cisco
• By default, when you configure EZVPN, both the users can pick whichever group they want to connect to and if they know the Group’s password, they can connect to the group.
• But sometimes, we might have some access restrictions placed on certain groups and we might only want tacack to connect to VPN_USERS_1 and tacack_2 to connect to VPN_USERS_2.
• Here , is where GROUP-LOCK comes into picture.
• The steps that we need to follow to enable GROUP-LOCK are simple. Here they are:
  • Configure the usernames to be used for XAUTH. By default we would configure the username as “tacack” with any password. But now, to ensure that group-lock is activated, we need a way of “ATTACHING” the username to a single group-name. That’s done by using the @ character. So now we need to configure the username as “tacack@GROUP_NAME” with the same password. When entering the XAUTH credentials during login, we need to enter the username as “tacack@GROUP_NAME”. When the router receives username from the VPN client, and when group-lock is turned on ( Check Next step ), it strips the group-name from the string and compare that with the groupnames already present in the EZVPN server. If both the group-names match, then the EZVPN tunnel is allowed.
  • Enter into the “group” configuration and enter the keyword “group-lock” . What this command does it, it instructs the EZVPN server (R1 ) to “check” if the user trying to connect to the GROUP , is actually ALLOWED or AUTHORIZED to connect to that particular group.This tells the ezvpn server to strip the incoming username and authenticate the group-name present in that username. Once you configure this command, the users that are trying to connect to this group, MUST have their username configured in the username@group-name format, otherwise it fails authentication. The beauty of this is that, because of this enforcement, users can only now connect to 1 particular group for which they’re authorized to connect to.
    • #crypto isakmp client configuration group VPN_USERS_1
      • #group-lock
    • #crypto isakmp client configuration group VPN_USERS_2
      • #group-lock

I really hope that made sense, if not please feel free to send me an e-mail and i’ll gladly provide a better explanation.

Next came EZVPN Group and XAUTH using the ACS. I simply thought that explaining this would be cumbersome and i made a crude video. The production,narration is pretty poor, so please forgive me . You can that below ( Part1 and Part2)

Now, for implementing Group-lock using ACS, i made a small video and i’ve split it into 2 parts . You can find those below

Yesterday was awesome! Although i could manage to do only 2 tasks, i still felt like i made a lot of progress ‘coz these were all “TABOO” topics for me and i’ve managed to understand them well

Today i’ll be doing the ASA config + Anyconnect VPN configuration ( As i’d promised yesterday ) .

I hope this helps and i hope you’re as excited as i am to nail VPN’s! .

Cheers,

TacACK

P.S : I’ll be on Google Wave everyday between 6 PM to 12 PM IST ( i.e 12:30 PM to 6:30 PM UTC ). You can catch me there . My wave id is “ybnmts at googlewave.com”. Ryan (www.routsec.com fame) will be there too and he’s a very knowledgeable and helpful guy! Catch you there!