640 likes | 696 Views
Virtual Private Dialup Networks. 1055_03F8_c4. David W. Phillips. Escalation Team/San Jose Global Support Engineering. IP VPN Taxonomy. IP VPNs. DIAL. DEDICATED. Client- Initiated. NAS- Initiated. Virtual Circuit. VPN Aware Networks. IP Tunnel. FR. ATM. Security Appliance.
E N D
Virtual PrivateDialup Networks 1055_03F8_c4
David W. Phillips Escalation Team/San Jose Global Support Engineering
IP VPN Taxonomy IP VPNs DIAL DEDICATED Client- Initiated NAS- Initiated Virtual Circuit VPN Aware Networks IP Tunnel FR ATM Security Appliance Router
Internal Network Virtual Private Dialup Networks NAS AAA Server Telco/Internet/ISP ISP VPDN L2F/ L2TP AAA Server Firewall Portable Computer Running PPP Router/ Home Gateway Narita Airport Road Warrior Lounge CorporateHeadquarters 1055_03F8_c4 3
VPDN Protocol History • PPTP (Point-to-Point Tunneling protocol) Microsoft/Ascend/3COM Proprietary, Cisco doesn’t support it • L2F (Layer 2 Forwarding) Cisco Proprietary (in Cisco IOS™ 11.2+) • L2TP (Layer 2 Tunneling Protocol) IETF Draft combining the best of PPTP and L2F
VPDN Basic Components L2TP Access Concentrator (LAC) (L2F Calls this the NAS) L2TP Network Server (LNS)(L2F Calls this the Home Gateway) Dial Client (PPP Peer) ASYNC ISDN AAA Server (RADIUS/TACACS +) AAA Server (RADIUS/TACACS+)
1 LAC (NAS) VPDN Client Connection LCP Confreq • LCP is the lower layer of the PPP stack. It is where authentication is performed. This is before any NCP negotiation such as IPCP or IPXCP PPP Peer Places Call to LAC LCP ConfAck LCP Confreq LCP ConfAck CHAP Challenge CHAP Response username = bar@foo.com
LAC (NAS) 2 VPDN Tunnel Authorization bar@foo.com To LNS 10.1.1.1 IP Network RADIUS or TACACS+ Domain IP • Controlled by LAC/ AAA security server • End-point identified by: domain or DNIS cisco.com 171.64.71.10 sun.com 204.35.7.1 intel.com 192.57.74.4 foo.com 10.1.1.1
3 RADIUS orTACACS+ VPDN Tunnel Authentication LAC (NAS) LNS (HGW) username@domain IP Network • Bidirectional CHAP authentication done by tunnel peers before opening tunnel • RADIUS doesn’t support outbound CHAP. LNS/HGW must do tunnel authentication locally if using RADIUS
4 VPDN Client Authentication and Authorization LAC (NAS) LNS (HGW) username@domain • Clients authenticated at the LNS (Home Gateway) • PAP/CHAP/one-time password • Client authorization and NCP negotiation takes place at the LNS (Home Gateway). The PPP session terminates at the LNS. RADIUS orTACACS+
User Chap Response+ Response Identifier(17-22) PPP and L2FProtocol Flow NAS RADIUS Server HGW RADIUSServer (10) Request for AV Pairs (5) (9) User = Domain or User@Domain Password = Cisco Yes (18-23) NAS Ip Address Tunnel Info in AV Pairs (6) NAS port Tunnel-ID Service Type NAS Password HGW Password PPP L2F NAS Home Gateway Remote User Tunnel Set Up (7) ISDN Setup (1) Chap Challenge (8) PPP LCP Setup (2) HGW Chap Response (11) Chap Challenge (3) Pass (12) Chap Response (4) Chap Challenge (13) NAS Chap Response (14) Pass (15) User Chap Response+Response Identifier+PPP Negotiated Parameters (16) Pass (19) Option Second Chap Challenge (20) Chap Response (21) 1055_03F8_c4 11
NAS Discovers the Tunnel As1 CHAP: O CHALLENGE id 1 len 26 from "nas01" As1 CHAP: I RESPONSE id 1 len 32 from "bar@foo.com" As1 PPP: Phase is FORWARDING VPDN: Looking for tunnel -- foo.com -- AAA/AUTHEN: create_user (0x8F5F8) user='foo.com' ruser= '' port='Async1' rem_addr='' authen_type=NONE service=LOGIN priv=0 AAA/AUTHOR/VPDN: : (1478780313): user='foo.com' AAA/AUTHOR/VPDN: : (1478780313): send AV service=ppp AAA/AUTHOR/VPDN: : (1478780313): send AV protocol=vpdn AAA/AUTHOR/VPDN: : (1478780313): Method=RADIUS RADIUS: authenticating to get author data … <raw attributes displayed here> RADIUS: cisco AVPair "vpdn:ip-addresses=172.16.27.25" RADIUS: cisco AVPair "vpdn:tunnel-id=nas01" RADIUS: cisco AVPair "vpdn:nas-password=nasnas" RADIUS: cisco AVPair "vpdn:gw-password=hgwhgw" AAA/AUTHOR (1478780313): Post authorization status = PASS_REPL debug ppp negotiation debug ppp authentication debug vpdn event debug aaa authentication debug aaa authorization debug radius
The Tunnel Is Authenticated L2F: L2F_CONF received L2F: Creating new tunnel for nas01 L2F: Got a tunnel named nas01, responding AAA/AUTHEN: create_user (0x60F50FE4) user='hgw01' ruser ='' port='' rem_addr='' authen_type=CHAP service=PPP priv=1 AAA/AUTHEN/START (0): port='' list='default' action=SENDAUTH service=PPP AAA/AUTHEN/START (0): non console login - defaults to local database AAA/AUTHEN/START (1013650812): Method=LOCAL AAA/AUTHEN (1013650812): status = PASS … <same is done for nas01> L2F: Open UDP socket from 172.16.27.25 to 172.16.27.11 L2F: L2F_OPEN received • This trace is from the Home Gateway. Note that the Home Gateway cannot use RADIUS for outbound CHAP authentication. RADIUS does not support this. Instead “Local” authentication is used in this case.
Virtual Access Interface Created Interface Virtual Template 1 encapsulation ppp ip unnumbered Ethernet 0 ppp authentication chap callin ppp multilink ip:inacl#1=deny tcp any any eq 23" ip:inacl#2=permit ip any any" ip:addr-pool=ni" Home Gateway Cisco IOS Configuration RADIUS orTACACS+ Configuration • Virtual profiles (applies interface configurations) • Per user config (adds network configuration) Interface Virtual Access 1 encapsulation ppp ip unnumbered Ethernet 0 inacl#1=deny tcp any any eq 23" ip:inacl#2=permit ip any any" ip:addr-pool=ni" ppp authentication chap callin ppp multilink
Virtual Access Interface Cloned Vi1 VTEMPLATE: ************* CLONE VACCESS1 *********** ****** Vi1 VTEMPLATE: Clone from vtemplate1 interface Virtual-Access1 no ip address encap ppp ip unnumbered Ethernet6/0 ip tcp header-compression passive no ip mroute-cache peer default ip address pool default compress stac ppp authentication chap callin USERS ppp multilink end • Note that these configuration settings are “cloned” from a Virtual Template Interface specified in the router configuration. A “virtual” access interface is needed because the Home Gateway does not physically terminate the call. • Debug vtemplate
Per User Config Downloaded AAA/AUTHOR/FSM Vi1: (0): Can we start IPCP? AAA/AUTHOR/FSM: Virtual-Access1: (0): user='bar@foo.com' AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV service=ppp AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV protocol=ip AAA/AUTHOR/FSM: Virtual-Access1: (2189887367): Method=RADIUS RADIUS: cisco AVPair "ip:inacl#1=deny tcp any any eq 23" RADIUS: cisco AVPair "ip:inacl#2=permit ip any any" RADIUS: cisco AVPair "ip:addr-pool=ni" AAA/AUTHOR (2189887367): Post authorization status = PASS_REPL AAA/AUTHOR/FSM Vi1: We can start IPCP … <ppp negotiation processing debugs omitted> AAA/AUTHOR: parse 'ip access-list extended Virtual-Access1#0' ok AAA/AUTHOR: parse 'deny tcp any any eq 23' ok (0) AAA/AUTHOR: parse 'permit ip any any' ok (0) AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip access-list extended Virtual-Access1#0 AAA/AUTHOR: Virtual-Access1: vaccess parse 'interface Virtual-Access1 IP access-group Virtual-Access1#0 in ' ok (0) • Debug aaa per-user
Required NAS Cisco IOS Configuration • The following are the VPDN specific commands used on the NAS. They are all global configuration commands: vpdn enable vpdn outgoingfoo.com nas01 ip 172.16.27.25 Only Required if There Is No RADIUS or TACACS+ Server Available vpdn search-orderdomain dnis vpdn aaa override-server10.1.1.1 vpdn source-ip172.16.27.11 vpdn domain-delimiter@, /, %, #, - or \ Optional
AAA Basic Commands Turns on AAA and applies Local Authentication to all Lines and Interfaces (except the console which is left unprotected) aaa new-model • Until this command is enabled, all other AAA commands are hidden • Be careful not to lock yourself out of the router!
aaa authentication logindefault radius local Command Name List Name Methods AAA Basic Commands (Cont.) aaa new-model
AAA Basic Commands (Cont.) aaa new-model aaa authentication pppdefault tacacs+ local aaa authentication pppfoo radius local Interface Group-Async 1ppp authentication chap Interface Virtual-Template 1ppp authentication chap foo List Name “foo” Ties RADIUS to Interface Virtual-Template 1
NAS Cisco IOS Sample Configuration aaa new-model aaa authentication login default radius local aaa authentication ppp VPDN radius aaa authorization network radius aaa accounting network start-stop radius ! vpdn enable ! interface Serial0:23 encapsulation ppp ... ppp authentication chap VPDN ! interface Group-Async1 encapsulation ppp ... ppp authentication chap VPDN ! radius-server host 172.16.151.41 auth-port 1645 acct-port 1646 radius-server key foobar 1055_03F8_c4 21
NAS—Radius Configuration user = foo.com{ Radius=Cisco { Check Items= { Password=cisco Hard Coded password User-Service-Type=Outbound User } Reply Attributes= { cisco-avpair="vpdn:tunnel-id=nas01" cisco-avpair="vpdn:ip-addresses=172.16.27.25" cisco-avpair="nas-password=nasnas" cisco-avpair="gw-password=hgwhgw" } } } • This is the syntax for CiscoSecure ACS for UNIX. Other RADIUSdaemons may use a different syntax, but the attribute value pairs should be the same.
Home Gateway Cisco IOS Configuration • The following are the VPDN specific commands used on the Home Gateway: vpdn enable vpdn incomingnas01 hgw01 virtual-template 1 interface Virtual-Template1 ip unnumbered Ethernet6/0 ip tcp header-compression passive no ip mroute-cache peer default ip address pool default ppp authentication chap VPDN ppp multilink Required vpdn source-ip172.16.27.11 vpdn force-local-chap Optional
Home Gateway Sample Config aaa new-model aaa authentication login default radius local aaa authentication ppp VPDN radius aaa authorization network radius aaa accounting network start-stop radius ! vpdn enable vpdn incoming nas01 hgw01 virtual-template 1 ! interface Virtual-Template1 ip unnumbered Ethernet6/0 ip tcp header-compression passive no ip mroute-cache peer default ip address pool default ppp authentication chap VPDN ppp multilink ! ip local pool default 10.1.1.1 10.1.1.48 ! radius-server host 172.16.151.41 auth-port 1645 acct-port 1646 radius-server key foobar 1055_03F8_c4 23
HGW—RADIUS Configuration user = bar@foo.com { set server max-sessions = 2 Radius=Cisco { Check Items= { Password=foobar } Reply_Attributes= { User-Service-Type=Framed User Framed-Protocol=PPP cisco-avpair="ip:inacl#1=deny tcp any any eq 23" cisco-avpair="ip:inacl#2=permit ip any any" cisco-avpair="ip:addr-pool=ni" } } } • This is the syntax for CiscoSecure ACS for UNIX. Some attributes are proprietary to CiscoSecure ACS such as “max sessions”. This example shows the use of per user configuration with vendor-specific attributes.
HGW—RADIUS Hosted IP Pools • In order to host IP pools on a RADIUS server a special RADIUS user is defined. The user is predefined to be “pools-<Home Gateway Name>”. You can choose a different name, but then the HGW will need to be configured with the Cisco IOS command: aaa configuration config-usernames <YourPoolName> user = pools-hgw01 { radius=Cisco { Check Items= { Password=cisco User Service Type=Outbound User } Reply_Attributes= { cisco-avpair="ip:pool-def#1=ichi 1.1.1.1 1.1.1.48" cisco-avpair="ip:pool-def#2=ni 2.2.2.1 2.2.2.48" cisco-avpair="ip:pool-def#3=san 3.3.3.1 3.3.3.48" } } } 1055_03F8_c4 25
Show VPDN nas01# show vpdn % Active L2F tunnels = 1 NAS Name Gateway Name NAS CLID Gateway CLID State nas01 hgw01 5 56 open 172.16.27.11 172.16.27.25 L2F MIDs = 1 Name NAS Name Interface MID State bar@foo.com nas01 As4 1 open • Shows the state of the tunnel and the users who are multiplexed inside the tunnel. The output is the same on the NAS and Home Gateway side except for the interface
Show VPDN <NAS> <HGW> nas01# show vpdn nas01 hgw01 NAS name: nas01 NAS CLID: 1 NAS IP address 172.16.27.11 Gateway name: hgw01 Gateway CLID: 1 Gateway IP address 172.16.27.25 State: open Packets out: 37 Bytes out: 2182 Packets in: 11 Bytes in: 231 ----------------- MID: 1 User: bar@foo.com Interface: Async1 State: open Packets out: 27 Bytes out: 1968 Packets in: 1 Bytes in: 17 • A more detailed look at the state of the tunnel including packet statistics • Each user has a “multiplex ID” (MID) within the tunnel
Home Gateway Commands hgw01# show users Line User Host(s) Idle Location * 2 vty 0 dphillip idle 00:00:00 171.68.24.242 Vi2 bar@foo.c Virtual PPP (L2F) 00:00:05 hgw01# show ip access-lists Standard IP access list 10 permit 172.16.96.55 Extended IP access list Virtual-Access2#0 (per-user) deny tcp any any eq telnet permit ip any any (3683 matches) hgw01# show ip local pool Pool Begin End Free InUse default 172.16.26.72 172.16.26.127 56 0 ichi 1.1.1.1 1.1.1.48 48 0 (dynamic) ni 2.2.2.1 2.2.2.48 47 1 (dynamic) san 3.3.3.1 3.3.3.48 48 0 (dynamic)
Show Interface Virtual Access hgw01# show interface virtual-access 1 Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of Ethernet6/0 (172.16.25.114) MTU 1500 bytes, BW 100 Kbit, DLY 10000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) DTR is pulsed for 5 seconds on reset LCP Open, multilink Closed Open: IPCP Last input 00:00:06, output never, output hang never Last clearing of "show interface" counters 15:26:14 Queueing strategy: fifo Output queue 1/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec • Same as a normal interface
L2F Fast-Switching • Cisco IOS version 11.2(3)F—Cisco 100x, 25xx, 4xxx, AS5200, • Cisco IOS version 11.3—Cisco 16xx, 36xx, 72xx, AS5300 • Fast-switching is on by default • “no ip route-cache” to do process-switching
L2F Load Sharing HGW #1 NAS • Random sessions load sharing, 11.3(1) • Configuration must be done on the AAA server HGW #2 Domain IP cisco.com 179.2.2.3 cisco.com 194.1.1.1 intel.com 192.57.74.4 apple.com 137.64.132.4
L2F Load Sharing Configuration • RADIUS • hp.com Password = “cisco”, User-Service-Type =Outbound-User • cisco-avpair = “vpdn:tunnel-id=hp-gw”, • cisco-avpair = “vpdn:ip-addresses=179.2.2.3,194.1.1.1,193.2.2.2”, • cisco-avpair = “vpdn:nas-password=hello”, • cisco-avpair = “vpdn:gw-password=there” • This syntax is typical of Livingston or Merit Radius. It is different from CiscoSecure, but the attributes and values are the same.
L2F Load Sharing Configuration • TACACS+ • user = hp.com { • service = ppp protocol = vpdn { • tunnel-id = isp • ip-addresses = “179.2.2.3,194.1.1.1,193.2.2.2” • nas-password = “hello” • gw-password = “there” • } • } • This is the syntax for the tacacs+ freeware daemon. It is different from CiscoSecure, but the attributes and values are the same.
L2F Backup HGW #1 X • Only if the connection to primary Home Gateways is unreachable, the NAS will establish the connection with backup Home Gateways, 11.3(1) • Configuration must be done on the AAA server NAS HGW #2
L2F Backup Configuration • RADIUS • hp.com Password = “cisco”, User-Service-Type = Outbound-User • cisco-avpair = “vpdn:tunnel-id=hp-gw”, • cisco-avpair = “vpdn:ip-addresses=179.2.2.3/194.1.1.1/193.2.2.2 ”, • cisco-avpair = “vpdn:nas-password=hello”, • cisco-avpair = “vpdn:gw-password=there” • Identical to the load sharing configuration except for the use of the “/” delimiter
L2F Backup Configuration • TACACS+ • user = hp.com { • service = ppp protocol = vpdn { • tunnel-id = isp • ip-addresses = “179.2.2.3/194.1.1.1/193.2.2.2” • nas-password = “hello” • gw-password = “there” • } • }
L2F Load Sharing/Backup 179.2.2.3,194.1.1.1,193.2.2.2/ 2.2.2.2,3.3.3.3,4.4.4.4 • Load sharing across primary • If all primary fails, load sharing across secondary • 11.3(1) Primary Secondary
L2F DNS Name Support cisco-avpair = “vpdn:ip-addresses= CiscoHGW” • The NAS will check in its DNS cache entry and translate the DNS name to IP address or addresses. If there is no cache entry, it will do a DNS lookup from a DNS server • If HGW IP addresses change, there is no need to change the AAA of the service provider configuration • 11.3(1)
L2F Double Authentication • User authentication at the NAS (LAC) before username@network.com is sent to the network. User authentication always at the home gateway (LNS) • Extra service attack prevention • Unwanted traffic such as hacker@cisco.com will not be transferred across the tunnel • Available in 11.3(1) with the hidden command: “vpdn authen-before-forward”
Stackable HGWs HGW #1 Access Path • Random sessions load sharing and backup using MLPP and MPPP • 11.3(3)T SGBP Domain IP HGW #2 cisco.com 179.2.2.3 cisco.com 194.1.1.1 intel.com 192.57.74.4 apple.com 137.64.132.4
L2F Multihop Dial User POP ISP Corp • Available in 11.3(3)T • Will work together with MMP NASes and stackable Home Gateways
LAC Scalability LAC Stackgroup • Cisco MMP technology allows LAC to grow as required • LAC appears as one single device • 11.2(1) Hybrid ISDN Analog
L2F/L2TP with QoS Dial Users • Red gets better quality of service (better bandwidth) than Green • Existing techniques may be used LNS LAC • Internet ISP Corp
End-to-End Encrypted Tunnels Service Provider NAS Customer Home Gateway • Available in 11.3(3)T • Requires IPSEC-compliant client or CPE device Encrypted DATA Encrypted DATA VPDN PPP
VPDN Protocol Layering TCP/UDP IP PPP L2F/L2TP UDP IP Frame Relay | ATM | <any transport>
Global Roaming Server • Acts as AAA broker, directing and translating AAA requests • Non-intrusive solution, existing AAA infrastructure remains in place • Allows service providers to use their existing dial infrastructure to deliver new services to their customers ISP Internet Roaming Service Provider PoP Corporate Intranet Roaming VPDN SP PoP GRS Roaming Clearing House PoP Roaming Consortium
Internet Roaming Remote Service Provider RSP Tokyo • User accesses ISP using the RSP’s POPs • GRS directs AAA to ISP • Authentication and authorization performed at ISP using their policies • Accounting forwarded by GRS RSP Internet Service Provider GRS AAA Local Call Hotel POP CiscoSecure ISPs ACS Sydney AAA Performed Here GRS Directs AAA NAS Sends AAA to GRS