Cisco ASA multiple dynamic VPN support (defaultRAGroup-defaultl2lGroup)

ciscocisco-asacisco-ioscisco-ios-15

Question (short)

How to set up 2 totally different dynamic l2l vpn tunnels on an ASA5506

Question (extended)

We have a Cisco ASA5506 Security Appliance and we want to set up 2 dynamic VPN setups.

Tunnel for various windows clients;
Tunnel to a branch office with dynamic ip using DynDNS.

We can set up the tunnels individually without a problem but cant get them working both at once.

VPN 1 (windows clients)

Cisco ASA5506 config

group-policy l2tp-ipsec_policy internal

group-policy l2tp-ipsec_policy attributes
  dns-server value 10.100.3.1
  vpn-tunnel-protocol l2tp-ipsec            
  default-domain value vbv.local

  banner value U bent nu aangemeld op het netwerk, zet uw VPN verbinding uit wanneer u klaar bent.
  wins-server value 10.100.3.1
  dns-server value 10.100.3.1
  vpn-filter value VBV_VPN_CLIENT_FILTER
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VBV_VPN_CLIENTS  
exit

tunnel-group DefaultRAGroup general-attributes
  default-group-policy l2tp-ipsec_policy
  address-pool POOL-VPN_VBVLOCAL        
  authentication-server-group VBV_LDAP LOCAL
  password-management
  strip-realm
exit    

tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
exit

tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  no authentication chap
  no authentication ms-chap-v1
  no authentication ms-chap-v2
exit

crypto ipsec transform-set winClient esp-3des esp-sha-hmac
crypto ipsec transform-set winClient mode transport

crypto dynamic-map dynWinVPN 500 set ikev1 transform-set winClient

crypto map cmap_WAN-GLASVEZEL 500 ipsec-isakmp dynamic dynWinVPN


crypto isakmp enable WAN-GLASVEZEL

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
exit

access-list VBV_VPN_CLIENT_FILTER extended permit object-group obj-VBVLOCAL_VPN_AllowedServices any any log notifications
access-list VBV_VPN_CLIENTS extended permit ip object-group obj-VBVLOCAL_VPN_AllowedNetworks any

Above on itself working perfectly, i know about the PAP auth but the reason is the LDAP verification. (cant get that working with mschapv2 and is of later concern).

VPN 2 (site to site to branch office)

Cisco ASA5506 config

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map ***.dyndns.org 100 set pfs group1
crypto dynamic-map ***.dyndns.org 100 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime seconds 86400
crypto dynamic-map ***.dyndns.org 100 set security-association lifetime kilobytes 9216000

crypto map cmap_WAN-GLASVEZEL 100 ipsec-isakmp dynamic ***.dyndns.org

crypto ikev1 policy 2
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!

tunnel-group ***.dyndns.org type ipsec-l2l
tunnel-group ***.dyndns.org general-attributes
 default-group-policy grpPol_vbvjb
tunnel-group ***.dyndns.org ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
!

Branch office Cisco 881 router

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ****** address ***
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto ipsec security-association lifetime kilobytes 9216000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP-***_BACKUP 1 ipsec-isakmp
 description TUNNEL-***_BACKUP_****
 set peer *****
 set transform-set ESP-3DES-SHA
 set pfs group1
 match address 171
!
access-list 171 remark VPN-IPSEC-***_BACKUP
access-list 171 permit ip 192.168.10.0 0.0.0.255 10.100.0.0 0.0.3.255 log
access-list 177 permit icmp any host 10.100.3.1

Same story here, fully working on its own but can't combine with the setup from above.

So in short, i can set up both VPN setups and get them working but i cannot get them working in one configuration.

Keynotes

Works seperately but not toghether;
Branch office uses dynDNS because it has no static IP;
Windows VPN Clients use 2l2 with ldap server verification;
Strange this i see is site2site uses defaultRAGroup and clients defaultl2lgroup.
How can i check catch correct crypto dynamic map?

Hope someone in here can help so we do not have to call Cisco TAC.

Best Answer

Try changing the crypto map sequence number for the dynamic entry to a higher one (e.g. >500), see this note:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46242-lan-to-lan-vpn-client.html#crypto

Related Solutions

Cisco – the proper way to config a Site to Site IPSEC VPN and a Remote Access VLAN on the same external interface? Cisco 891 ISR

Taking a shot in the dark here because there are a lot of variables you didn't mention. Please update the question to include the specific technologies you are using, your currnet config, and the error you are getting. But if you are using for instance, DMVPN + EZVPN, you will probably have to use keyrings and multiple ISAKMP profiles. Since you point to phase 1 issues I would check that. The following links give reference configs for DMVPN and EZVPN and L2L+EZVPN. You should be able to modify to suit your needs.

Here's a ISAKMP Profile reference for some lunchtime reading.

IPsec VPN – How is the Pre-Shared Key Encrypted?

You've asked a great question. The question seems very simple, but in fact the answer is somewhat more complex. I'll do my best to answer it in a succinct manner. Also, since you mentioned ISAKMP, I am going to assume you are interested in IKEv1. Things change a little for IKEv2 (well, a lot), but I did want to mention the answer below only correlates to IKEv1.

Phase 1 can be accomplished in two different mods: Main Mode and Aggressive Mode. In either mode, the first message is sent by the Initiator, and the second message is sent by the Responder. Both of these messages include what is known in the cryptography world as a Nonce. A Nonce is simply a randomly generated number to use in key generation. (the term Nonce comes from _N_umber used _Once_). So, after message 1 and message 2, both sides know each other's Nonces.

The Nonce's are combined with the Pre-Shared-Key to create a Seed value for generating secret keys. The relative part of the IKE RFC is here:

 For pre-shared keys:       SKEYID = prf(pre-shared-key, Ni_b | Nr_b)

SKEYID is the Seed value that will later be used to generate additional secret keys. The Pre-Shared-Key and both Nonce values (Ni_b is the Initiator's Nonce, and Nr_B is the Responder's Nonce) is combined by using a PRF, or Psuedo Random Function. A PRF is like a hashing algorithm, except that the result can be as many bits as you need.

Now, if you were initially doing Main Mode, messages 3 and 4 share the Initiator's and Responder's (respectively) Diffie-Hellman public keys. They both use the these values to generate the Diffie-Hellman shared secret. If you were doing Aggressive mode, these DH Public values are also included in Message 1 and Message 2 (along with the Nonces).

The Seed value is then combined with the DH Shared Secret (and a few other values) to create three Session Keys: a Derevative key, an Authentication key, and an Encryption key. The RFC states it as such:

The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:
 SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
 SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
 SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

SKEYID_d, _a, and _e are the three Session keys mentioned above. SKEYID is the Seed value. g^xy is the DH Shared Secret. CKY-I and CKI-R are the Initiator and Responder Cookies, these are just additional randomly generated values that are used later to identify this particular ISAKMP exchange and security association. 0 1 2 are the literal numbers 0, 1, and 2. The Pipe symbol | represents concatenation.

In any case, all these values are combined together using a PRF which creates three Session keys:

Derivative Key -- this key is not used by ISAKMP, and is instead handed to IPsec so that IPsec can create its own Secret Keys
Authentication Key -- this key is used by ISAKMP in its HMAC (aka, Hashing algorithm secured with a Secret key)
Encryption Key -- this key is used by ISAKMP to symmetrically encrypt anything ISAKMP wants to securely to the other peer. So if the chosen Encryption algorithm for Phase1 is AES, AES will use this key to symmetrically encrypt data -- AES will not generate its own keying material.

The Authentication Key and Encryption Key are used to secure/encrypt the ensuing Phase2 negotiation. In Main Mode, messages 5 and 6 of Phase1 are also protected by these keys. Furthermore, any future ISAKMP informational exchanges (DPD, Rekey events, Delete messages, etc) are also protected by these two keys.

The Derivative Key is handed to IPsec, and IPsec generates its own Keying material from this Key. If you recall, IPsec does not innately include a Key Exchange mechanism, so the only way for it to acquire secret keys is to either set them manually (which is archaic, and never really done anymore), OR to depend on an external service to provide the keying material, like ISAKMP.

The RFC says it like so:

SKEYID_e is the keying material used by the ISAKMP SA to protect the confidentiality of its messages.

SKEYID_a is the keying material used by the ISAKMP SA to authenticate its messages.

SKEYID_d is the keying material used to derive keys for non-ISAKMP security associations.

With all that said, we can refer back to your question: What key is used to secure the Pre-Shared-Key?

In Main Mode, the Pre-Shared-Key (PSK) is verified in Messages 5 and 6. Message 5 and 6 are Protected by the Session keys ISAKMP generates, described above.

In Aggressive Mode, none of the messages in the negotiation are encrypted. And the PSK is verified in Messages 2 and 3. Notice, I said in both cases the PSK is verified, and I never said the PSK is exchanged. Obviously, if nothing in Aggressive mode is Encrypted, and you simply sent the Pre-Shared-Key across the wire unencrypted, there would be a huge gaping security vulnerability.

Lucky for us, the writers of ISAKMP already thought of that. And as a result, they created a special method for verifying that each party has the correct PSK, without actually sharing it across the wire. There are two items that are use to validate to each Peer that they both have the same PSK: the Identity Method and the Identity Hash.

VPN Peers can choose to identify themselves by various methods; most commonly, peers will simply use their source IP address. But they have the option to use a FQDN or Hostname. Each of these, along with the correlating value for the chosen method, are what make up the Identity Method. So for example, if I had the IP 5.5.5.5, and I wanted to use my IP address to identify myself, my ID Method would effectively be [IP Address, 5.5.5.5]. (Note: BOTH values make up the entire ID Method)

The ID Method is then combined (using a PRF) with the Seed value we discussed earlier (SKEYID), and a few other values, to create the Identity Hash. Recall, that what went into creating SKEYID in the first place was the Pre-Shared-Key.

The ID Method and ID Hash are then sent across the wire, and the other party attempts to re-create the ID Hash using the same formula. If the receiver is able to re-create the same ID Hash, it proves to the receiver that the sender must have had the correct pre-shared-key.

This is described in the RFC here:

To authenticate either exchange the initiator of the protocol generates HASH_I and the responder generates HASH_R where:
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )

IDii and IDir are the ID Method. And HASH_I and HASH_R are the Initiator and Responder hash's. Both of these are shared in Phase1. From the RFC:

When doing a pre-shared key authentication, Main Mode is defined as follows:

         Initiator                        Responder
        ----------                       -----------
         HDR, SA             -->
                             <--    HDR, SA
         HDR, KE, Ni         -->
                             <--    HDR, KE, Nr
         HDR*, IDii, HASH_I  -->
                             <--    HDR*, IDir, HASH_R

Aggressive mode with a pre-shared key is described as follows:

       Initiator                        Responder
      -----------                      -----------
       HDR, SA, KE, Ni, IDii -->
                             <--    HDR, SA, KE, Nr, IDir, HASH_R
       HDR, HASH_I           -->

And now, we can finally answer your question fully:

The Pre-Shared-Key is combined using a PRF with Nonces, and a bunch of other values known to anyone else in the negotiation. The result is a value that can only be mutually attained by two parties if both parties started with the same values -- aka, the same pre-shared-key. The resulting value is what is shared on the wire, with allows two parties to verify they have matching Pre-Shared-Keys without actually exposing any information about the Pre-Shared-Key itself.

Main Mode goes a step more secure by also encrypting the exchange of the "resulting value" described above, making it even more difficult to extract any useful information about what the Pre-Shared-Key was.

(it seems I failed miserably at answering this succinctly)