In this example FlexVPN Remote Access VPN users will authenticate to the Hub router using RSA certificates. Using the IKEv2 Name Mangler feature, the organisation-unit (OU) value will be extracted from the certificate and assigned a Local IKEv2 Policy based on the extracted value. The IKEv2 Policy name must match exactly the value defined in the OU. The IKEv2 Policy in conjunction with the AAA attribute list will assign different attributes to the users’ sessions, for example VRF, IP Pool, Access List etc.
This configuration is an example of FlexVPN Local Authorization, the same can be achieved using a RADIUS server. Refer to the previous posts for additional FlexVPN information:-
FlexVPN Configuration
VRF
vrf definition Customer-1 ! address-family ipv4 exit-address-family ! vrf definition Customer-2 ! address-family ipv4 exit-address-family
Loopback Interfaces
interface Loopback10 vrf forwarding Customer-1 ip address 10.100.0.1 255.255.255.255 ! interface Loopback11 vrf forwarding Customer-1 ip address 10.100.1.1 255.255.255.255 ! interface Loopback20 vrf forwarding Customer-2 ip address 10.200.0.1 255.255.255.255 ! interface Loopback21 vrf forwarding Customer-2 ip address 10.200.1.1 255.255.255.255
Access Lists
ip access-list extended ACL_CUSTOMER-1 deny tcp any any eq www deny tcp any any eq 443 permit ip any any ! ip access-list extended ACL_CUSTOMER-2 permit ip any any
AAA Configuration
AAA must be enabled and a method list for network authorization defined, this will be referenced in the IKEv2 Profile.
aaa new-model aaa authorization network FLEX_LOCAL local
AAA Attribute Lists
To demonstrate some of the attributes that can be pushed to a client connection, different settings will be applied to the individual AAA Attribute Lists to help confirm the settings are applied correctly.
aaa attribute list Customer-1 attribute type interface-config "ip mtu 1100" attribute type interface-config "vrf forwarding Customer-1" attribute type interface-config "ip unnumbered lo10" attribute type interface-config "ip access-group ACL_CUSTOMER-1 in" ! aaa attribute list Customer-2 attribute type interface-config "ip mtu 1300" attribute type interface-config "vrf forwarding Customer-2" attribute type interface-config "ip unnumbered lo20" attribute type interface-config "ip access-group ACL_CUSTOMER-2 in" attribute type interface-config "ip verify unicast reverse-path" attribute type dns-servers "192.168.10.66" attribute type default-domain customer-2.lab attribute type netmask 255.255.255.128 attribute type addr-pool "CUSTOMER-2_POOL"
VPN IP Pools
ip local pool CUSTOMER-1_POOL 10.100.2.1 10.100.2.254 ip local pool CUSTOMER-2_POOL 10.200.2.1 10.200.2.254
IKEv2 Authorization Policies
crypto ikev2 authorization policy Customer-1 session-lifetime 360 pool CUSTOMER-1_POOL dns 192.168.10.5 netmask 255.255.255.0 def-domain customer-1.local include-local-lan aaa attribute list Customer-1
For Customer-2 Authorization Policy, in order to demonstrate a different method to how to configure additional settings such as DNS Server, Default Domain, VPN Pool and Netmask these settings have been defined in the AAA Attribute list which this AuthZ Policy is referencing.
crypto ikev2 authorization policy Customer-2 aaa attribute list Customer-2
Virtual Template
The IP address and VRF will be assigned via the AAA attribute list; therefore the Virtual-Template must not be configured with an IP address.
interface Virtual-Template1 type tunnel no ip address tunnel source GigabitEthernet1 tunnel protection ipsec profile IPSEC_PROFILE
IKEv2 Name Mangler & Profile
crypto ikev2 name-mangler NM_OU dn organization-unit
In order for authorization to be performed the IKEv2 Profile must be configured for authorization using the method list previously defined (FLEX_LOCAL) and the name mangler (NM_OU).
crypto ikev2 profile RAVPN match certificate CERT_MAP identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint VPN_TP dpd 10 2 on-demand aaa authorization group cert list FLEX_LOCAL name-mangler NM_OU virtual-template 1 mode auto reconnect timeout 6000
Windows & AnyConnect/Secure Client Configuration
AnyConnect Profile
To configure AnyConnect VPN client use the Cisco AnyConnect VPN Profile Editor to create a configuration file.
- Open the AnyConnect Profile Editor
- Navigate to the Server List tab
- Enter an appropriate Display Name
- Select the Primary Protocol as IPSec
- Enter the FQDN or IP Address of the FlexVPN Hub
- Untick the ASA gateway box
- Select Auth Method During IKE Negotiation as IKE-RSA
- Click OK
- Save the configuration to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
- Reboot the computer or restart the AnyConnect services
Certificates
We are using the IKEv2 Name Mangler to extract the OU value therefore within the subject the OU value must be specified, which in turn must be configured as an IKEv2 Policy. In this example User1 has an OU value of Customer-1 and User2 has an OU value of Customer-2.
Testing/Verification
Testing User1 (Customer-1)
Upon successful connection to the VPN as User1, we can determine the client has been issued an IP address 10.100.2.2 from the correct VPN IP Pool CUSTOMER-1_POOL.
Using the command show crypto session detail we can confirm the session connected to the IKEv2 Profile named RAVPN, the connection has successfully placed into VRF Customer-1. We can also confirm the OU value and the IP address assigned to the client.
Using the command show ip interface Virtual-Access 1 we can confirm the Hub is using the correct Loopback interface (Lo10) as the source (as defined in the AAA Attribute List) and the correct ACL, VRF and MTU attributes have also been applied.
Testing User2 (Customer-2)
Re-testing connecting to the VPN as User2 we can determine the client has been issued an IP address of 10.200.2.4 from the correct VPN IP Pool CUSTOMER-2_POOL.
Using the command show crypto session detail we can confirm the session connected to the IKEv2 Profile named RAVPN, the connection has successfully placed into VRF Customer-2 and can also confirm the OU value.
Using the command show ip interface Virtual-Access 1 we can confirm the Hub is using the correct Loopback interface (Lo20) as the source (as defined in the AAA Attribute List), the different ACL, VRF, MTU and uRPF settings have also been applied.
Running the command show derived-config interface virtual-access1 will confirm the attributes have been applied successfully to the Virtual Access interface on the Hub.
We can confirm the Virtual-Access 1 IP address is in the VRF Customer-1 routing table using the command show ip route vrf Customer-1
On the Windows client running the command show ipconfig /all we can determine that correct DNS Server, Default Domain, Netmask were pushed via the AAA Attribute List.
Full Configuration
aaa new-model ! aaa authorization network FLEX_LOCAL local ! aaa attribute list Customer-1 attribute type interface-config "ip mtu 1100" attribute type interface-config "vrf forwarding Customer-1" attribute type interface-config "ip unnumbered lo10" attribute type interface-config "ip access-group ACL_CUSTOMER-1 in" ! aaa attribute list Customer-2 attribute type interface-config "ip mtu 1300" attribute type interface-config "vrf forwarding Customer-2" attribute type interface-config "ip unnumbered lo20" attribute type interface-config "ip access-group ACL_CUSTOMER-2 in" attribute type interface-config "ip verify unicast reverse-path" attribute type dns-servers "192.168.10.66" attribute type default-domain "customer-2.local" attribute type netmask 255.255.255.128 attribute type addr-pool "CUSTOMER-2_POOL" ! crypto pki trustpoint VPN_TP enrollment retry count 30 enrollment mode ra enrollment url http://192.168.10.5:80/certsrv/mscep/mscep.dll serial-number none ip-address none subject-name CN=HQ-RTR.lab.net,OU=US-Branch,C=US revocation-check none rsakeypair HQ-RTR auto-enroll 10 regenerate ! crypto pki certificate map CERT_MAP 5 issuer-name co lab-pki-ca ! crypto ikev2 name-mangler NM_OU dn organization-unit ! crypto ikev2 authorization policy Customer-1 session-lifetime 360 pool CUSTOMER-1_POOL dns 192.168.10.5 netmask 255.255.255.0 def-domain customer-1.local include-local-lan aaa attribute list Customer-1 ! crypto ikev2 authorization policy Customer-2 aaa attribute list Customer-2 ! crypto ikev2 proposal IKEv2_PROPOSAL encryption aes-cbc-256 integrity sha512 sha384 group 19 14 21 5 ! crypto ikev2 policy IKEv2_POLICY proposal IKEv2_PROPOSAL no crypto ikev2 policy default ! crypto ikev2 profile RAVPN match certificate CERT_MAP identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint VPN_TP lifetime 120 dpd 10 2 on-demand aaa authorization group cert list FLEX_LOCAL name-mangler NM_OU virtual-template 1 mode auto reconnect timeout 6000 ! no crypto ikev2 http-url cert ! no crypto isakmp default policy ! ! crypto ipsec transform-set TSET esp-gcm mode transport no crypto ipsec transform-set default ! crypto ipsec profile IPSEC_PROFILE set security-association lifetime seconds 86400 set transform-set TSET set ikev2-profile RAVPN ! no crypto ipsec profile default ! interface Loopback10 vrf forwarding Customer-1 ip address 10.100.0.1 255.255.255.255 ! interface Loopback11 vrf forwarding Customer-1 ip address 10.100.1.1 255.255.255.255 ! interface Loopback20 vrf forwarding Customer-2 ip address 10.200.0.1 255.255.255.255 ! interface Loopback21 vrf forwarding Customer-2 ip address 10.200.1.1 255.255.255.255 ! interface GigabitEthernet1 ip address 1.1.1.5 255.255.255.0 ! interface GigabitEthernet2 ip address 192.168.250.2 255.255.255.252 ! interface Virtual-Template1 type tunnel no ip address tunnel source GigabitEthernet1 tunnel protection ipsec profile IPSEC_PROFILE ! ip local pool CUSTOMER-1_POOL 10.100.2.1 10.100.2.254 ip local pool CUSTOMER-2_POOL 10.200.2.1 10.200.2.254 ! ip access-list extended ACL_CUSTOMER-1 deny tcp any any eq www deny tcp any any eq 443 permit ip any any ! ip access-list extended ACL_CUSTOMER-2 permit ip any any