Pages

Friday, December 4, 2015

IPSec RA(Remote Access) VPN


Implementation of IPsec RA VPN

Using VPN Software Client also known as Legacy VPN Client.

IKEv1: Phases, modes, auth methods
Mapping to the correct connection profile
Creating a new client connection
Additional tweaks

Two flavours

IKEv1
IKEv2

IKE Phase 1 :
trying to build connection tunnel between client and ASA
Negotiate 5 things
Hash
Auth
Group
Lifetime
Encryption

IKEPhase 1 negotiation can be done in either of two modes.

Main mode
uses more packets. If we are using digital cert for authentication we will use main mode.

Aggressive mode
uses less packets . If we are using pre-shared key for auth, we can use any mode. Behind the scene, client is unaware about the mode used.

IKEPhase 1.5 also called as XAUTH or Client mode. This is used to authenticate the user. ASA should know who is user is.

IKE Phase 2: also called IPsec
Here we have only one mode: Quick Mode
Negotiates
hash
lifetime
encryption

This is the mode which is used for actual traffic flow.

Things we need :

users: will have attributes like username, password and what group they belong to.
groups: What are the attributes that group is going to get
connection-profile: identify that somebody coming to the ASA, how we classify that user. Connection profile and groups name are same

These all will be same as SSL only the difference is here we will be using Ipsec.

IKEphase 1 happens over UDP port 500
IPsec use ESP protocol at L4 with protocol no 50


So if we want UDP traffic, IPSec will not work in that case we will be using NAT-T. Here instead of forwarding traffic to IPSEc it will forward traffic to UDP port 4500 and if there is a PAT device it will let traffic go through.

Cisco has their own propriety protocol called Tunneling over TCP using default port 10,000. We can use this if we don’t want to use UDP.

Planning :
IKE phase 1
ipsec - group: with same conn-profile
ipsec -user password cisco: to authenticate user
Also to authenticate user’s machine we need PSK or Digi cert
PSK - cisco  to authenticate the machine

ASDM Navigation :


Configuration - > Remote Access VPN ->

To see connection details on ASDM


Monitoring -> VPN-> VPN Statistics -> sessions

On cmd line:

show vpn-sessiondb-ra-ikev1-ipsec


IPsec RA VPN stands for IPsec Remote Access Virtual Private Network. It is a type of VPN (Virtual Private Network) technology that provides secure remote access to corporate networks and resources for remote users or teleworkers. IPsec RA VPN utilizes the IPsec (Internet Protocol Security) protocol suite to establish encrypted tunnels between remote users' devices and the corporate network, ensuring confidentiality, integrity, and authenticity of data transmission over untrusted networks such as the Internet.

Key features and characteristics of IPsec RA VPN include:

1. **Secure Communication**: IPsec RA VPN establishes encrypted tunnels (also known as VPN tunnels) between remote users' devices (such as laptops, smartphones, or tablets) and the corporate network infrastructure, providing a secure communication channel for accessing internal resources.

2. **IPsec Protocol Suite**: IPsec RA VPN relies on the IPsec protocol suite for providing security services, including authentication, encryption, and integrity protection. IPsec can be configured in various modes, such as Transport mode and Tunnel mode, to meet different security requirements.

3. **Remote Access**: IPsec RA VPN allows remote users to securely access corporate networks and resources from any location with an internet connection. This enables telecommuting, remote work, and mobile workforce scenarios, facilitating productivity and flexibility for employees.

4. **Authentication and Authorization**: IPsec RA VPN typically supports various authentication methods, such as pre-shared keys, digital certificates, or authentication protocols like EAP (Extensible Authentication Protocol), to verify the identity of remote users before granting access to the corporate network.

5. **Access Control**: IPsec RA VPN solutions often include access control features that allow administrators to define granular policies for controlling remote users' access to specific network resources and services. This ensures that remote users only have access to the resources they are authorized to use.

6. **Client Software**: IPsec RA VPN solutions may require remote users to install VPN client software on their devices to establish VPN connections securely. The VPN client software handles the encryption and decryption of data packets and manages the VPN tunnel establishment process.

7. **Scalability and Flexibility**: IPsec RA VPN solutions are scalable and can accommodate a large number of simultaneous VPN connections from remote users. They are also flexible and can be deployed in various network environments, including on-premises data centers, cloud infrastructure, or hybrid environments.

Overall, IPsec RA VPN is a widely used remote access technology that provides secure connectivity for remote users, teleworkers, and mobile devices, enabling seamless access to corporate networks and resources while maintaining data confidentiality and security. It is commonly deployed by organizations of all sizes and industries to support remote work initiatives, enhance productivity, and ensure compliance with security policies and regulations.


No comments:

Post a Comment