- IKE
- IKEv1
- IKEv2
- IKEv2 header
- Generic payload header
- Proposal substructure
- Transform substructure
- Key exchange substructure
- Identification substructure
- Certificate substructure
- Certificate request substructure
- Authentication substructure
- Notify substructure
- Delete substructure
- Traffic selector substructure
- Encrypted payload substructure
- Configuration payload substructure
- Encrypted fragment payload substructure
- IKEv2 message flow
- IOS CLI
- IKEv2 notify
- IKEv2 key material generation
- NAT-T
- MOBIKE
- Spoke-to-spoke tunnel
- DPD
- IKEv2 call admission control
- IKEv2 fragmentation
- SGT
- PKI
- Name mangler
- AuthZ
- Configuration
- EAP
- Virtual-access interface
- CoA/PoD
- Auto-reconnect
- MFA
- Load-balancing
- Design
IKE
- UDP 500
- UDP 4500 starting from 5-6th message in Main Mode
- DSCP CS6
- Transform set: parameters, implementing policy (algorithms, curves etc) – must match for tunnel to be built
- IPsec tunnel can be recreated using IKE tunnel
- phases
- IKE SA negotiation: Main Mode (site-to-site), Aggressive Mode (remote access: non-IP identity is available immediately)
- IPsec SA negotiation: Quick Mode
IKEv1 vs IKEv2
- IKEv1
- EzVPN
- different RFCs, draft RFCs (e.g. Xauth)
- different implementations: gateway and client might be incompatible
- responder must have lower or equal SA lifetime (part of SA in MM1, MM2)
- negotiates authC method
- authC on rekey
- IKEv2
- FlexVPN
- lower count of RFCs
- multivendor compatibility (SA lifetime – local attribute)
- no negotiation of SA lifetime, authC method – unidirectional authC
- EAP: EAP pass-through, no local authC, responder authC with certificate
- SuiteB: AES-GCM, ECDSA, ECDH, SHA2
- more performance ≡ tunnels because of less messages on tunnel setup
- DoS protection with Photuris-style cookie: client must retransmit with cookie before CPU-intensive DH → spoofed IP won’t do that
- dead peer detection
- NAT-T
IKEv1
Key material generation
SKEYID = PRF(PSK, N_i_b|N_r_b)
- IP source is used to select PSK – cannot be used for remote-access VPN
IOS CLI
; enabled by default
(config)# crypto isakmp enable
; IKEv1 tunnel parameters, responder compares received policies to its own
; responder: 10, 20; sender 1, 2; 10 ? 1 → 20 ? 1 → 10 ? 2 → 20 ? 2
(config)# crypto isakmp policy <num>
(config-isakmp)# authentication <MODE>
(config-isakmp)# encryption <ENCRYPT>
(config-isakmp)# hash <HASH>
(config-isakmp)# lifetime <secs>
; IP = NBMA address of physical interface (DMVPN)
(config)# crypto isakmp key 0|6 <PASS> address <IP>
; keepalive IKEv1 peer, helps on tunnel tear down (e.g. hub is down)
; 5 lost DPDs = failure (dead peer detection packets)
(config)# crypto isakmp keepalive <secs> periodic
; hostname default, on certificate-based authC DN is better (ASA compares DN, IKE)
(config)# crypto isakmp identity address|dn|hostname
; global by default
(config)# crypto keyring <RING> vrf <FVRF>
(conf-keyring)# pre-shared-key address <IP> key <PASS>
(config)# crypto isakmp peer address <IP>
(config-isakmp-peer)# set aggressive-mode password <PASS>
(config-isakmp-peer)# set aggressive-mode client-endpoint ipv4-address <IP>
(config)# crypto isakmp profile <NAME>
; global by default, not required for tunnels! only crypto-maps
(conf-isa-prof)# vrf <IVRF>
(conf-isa-prof)# keyring <RING>
(conf-isa-prof)# match identity address <IP> <mask> <FVRF>
(conf-isa-prof)# match certificate <CERTMAP>
# show crypto isakmp policy
# show crypto isakmp sa
ASA CLI
; IKEv1 → IKEv2
(config)# migrate [l2l|remote-access] [overwrite]
IKEv2
- combined mode cipher (GCM) does not need function for integrity calculation (but requires for pseudorandom function)
- on certificate authC may pass certificate SHA and URL instead of certificate itself: protection from buffer exhaust
- responder may select subnet from TS initiator
- anti-replay
- windowing ≡ number of messages in-flight (5 default)
- asymmetric
- can only be increased during session
- always 1 for init
- config payload: in IKE_AUTH, before SA exchange
- can use different sessions (SA) with different ID between same endpoints (IP:port)
- DSCP-SA QoS mapping
- to reduce drops because of anti-replay check failure
- TS can be the same
- DH is not resistant to quantum computing ⇒ IKEv2 is not resistant because of SKEYSEED (IKEv1 is quantum-resistant)
- uses smart defaults if no policy is defined
- no authC on session rekey
- session lifetime can be limited, on expiry – tear down instead of rekey
- for temporary RA
- config: local, RADIUS attribute 27
IKEv2 header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next payload | MjVer | MnVer | Exchange Type |Rsv|R|V|I| Rsv |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
MjVer: major version, =2
MnVer: minor version, =0
Exchange type
- 34 = IKE_SA_INIT
- 35 = IKE_AUTH
- 36 = CREATE_CHILD_SA
- 37 = INFORMATIONAL
R: response
V: version (can use higher MjVer; =0 for IKEv2)
I: initiator
Length: bytes, includes header
SPI: clear text, integrity protected
Message ID: 0 for Init, +1 every exchange, used for windowing
Generic payload header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next payload |C| Reserved | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C: critical, 0 ≡ can be ignored if not supported
Next payload:
- 0 = no payload
- 1-32: IKEv1
- 33 = SA
- 34 = key exchange
- 35 = initiator ID
- 36 = responder ID
- 37 = certificate
- 38 = certreq
- 39 = authentication
- 40 = nonce
- 41 = notify
- 42 = delete
- 43 = vendor ID
- 44 = initiator traffic selector (TSi)
- 45 = responder traffic selector (TSr)
- 46 = encrypted and authenticated (SK)
- 47 = configuration (CP)
- 48 = EAP
- 53 = encrypted fragment payload (SKF)
Proposal substructure
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Last substruct | Reserved | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Proposal Num | Protocol ID | SPI size | Num Transform |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ SPI /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Transforms /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Last substruct
- 0 = last
- 2 = not last
- IKEv1 legacy
Protocol ID
- 1 = IKE
- 2 = AH
- 3 = ESP
SPI size
- 0 for initial IKE
- 8 for IKE
- 4 for AH and ESP
Combined and normal ciphers must be in different proposals (RFC)
Transform substructure
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Last substruct | Reserved | Transform Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Transform Type | Reserved | Transform ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Transform attributes /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Last substruct
- 0 = last
- 3 = not last
Transform type:
- 1 = encryption
- transform ID 1 = DES IV64
- 2 = DES
- 3 = 3DES
- 4 = RC5
- 5 = IDEA
- 6 = CAST
- 7 = Blowfish
- 8 = 3IDEA
- 9 = DES IV32
- 11 = null
- 12 = AES CBC
- 13 = AES CTR
- 14-16 = AES CCM
- 18-20 = AES GCM
- 2 = pseudorandom function
- 1 = MD5
- 2 = SHA1
- 3 = Tiger
- 5 = SHA256
- 6 = SHA384
- 7 = SHA512
- 3 = integrity
- 0 = none
- 1 = MD5-96
- 2 = SHA1-96
- 3 = DES-MAC
- 4 = KPDK MD5
- 5 = AES-XCBC-96
- 12 = SHA256
- 13 = SHA386
- 14 = SHA512
- 4 = DH group
- 0 = none
- 1 = 768 bit
- 2 = 1024 bit
- 5 = 1536 bit
- 14 = 2048 bit
- 15 = 3072 bit
- 16 = 4096 bit
- 17 = 6144 bit
- 18 = 8192 bit
- 5 = ESN
- 0 = no ESN
- 1 = ESN
Transform attribute
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|F| Attribute type | Length(0)/Value(1) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Value(0)/not present(1) /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
F: attribute format, 0 = TLV, 1 = TV
Type:
- 0-13, 15-17 = IKEv1
- 14 = key length: TV
Key exchange substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DH Group Number | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ DH public value /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Identification substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ID type | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ ID data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ID type
- 1 = IPv4
- 2 = FQDN
- 3 = email
- 5 = IPv6
- 9 = X.500 DN
- 10 = X.509 GN
- 11 = opaque, for vendor specific
Certificate substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encode | Certificate data (variable length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Encode:
- 1 = PKCS#7, wrapped X.509 certificate
- 2 = PGP certificate
- 3 = DNS signed key
- 4 = X.509 certificate – signature
- 6 = Kerberos
- 7 = CRL
- 8 = ARL (authority revocation list)
- 9 = SPKI certificate
- 10 = X.509 certificate – attribute
- 12 = hash + URL X.509 certificate
- 13 = hash + URL X.509 bundle
Certificate request substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encode | Certificate authority (variable length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Certificate authority: concatenation of SHA1 from CA public key (in IKEv1 – SN of CA)
Authentication substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth method | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Auth Data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Auth method:
- 1 = RSA signature
- 2 = PFR(shared key)
- 3 = DSS signature
Notify substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size | Notify Message Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ SPI /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Types
- 1 = UNSUPPORTED_CRITICAL_PAYLOAD
- 4 = INVALID_IKE_SPI
- 5 = INVALID_MAJOR_VERSION
- 7 = INVALID_SYNTAX
- 9 = INVALID_MESSAGE_ID
- 11 = INVALID_SPI
- 14 = NO_PROPOSAL_CHOSEN
- 17 = INVALID_KE_PAYLOAD
- 24 = AUTHENTICATION_FAILED
- 34 = SINGLE_PAIR_REQUIRED
- 35 = NO_ADDITIONAL_SAS
- 36 = ADDRESS_FAILURE
- 37 = FAILED_CP_REQUIRED
- 38 = TS_UNACCEPTABLE
- 39 = INVALID_SELECTORS
- 43 = TEMPORARY_FAILURE
- 44 = CHILD_SA_NOT_FOUND
- 16384 = INITIAL_CONTACT
- 16385 = SET_WINDOW_SIZE
- 16386 = ADDITIONAL_TS_POSSIBLE
- 16387 = IPCOMP_SUPPORTED
- 16388 = NAT_DETECTION_SOURCE_IP
- 16389 = NAT_DETECTION_DESTINATION_IP
- 16390 = COOKIE
- 16391 = USE_TRANSPORT_MODE
- 16392 = HTTP_CERT_LOOKUP_SUPPORTED
- 16393 = REKEY_SA
- 16394 = ESP_TFC_PADDING_NOT_SUPPORTED
- 16395 = NON_FIRST_FRAGMENTS_ALSO
- 16406 = REDIRECT_SUPPORTED
- 16407 = REDIRECT
- 16408 = REDIRECTED_FROM
- 16430 = IKEV2_FRAGMENTATION_SUPPORTED
Delete substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol ID | SPI Size | Num of SPIs |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ SPIs /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Traffic selector substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Number of TS | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Traffic selectors /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Traffic selector
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TS Type | Protocol ID | Selector Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start Port | End Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Starting Address /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Ending Address /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
TS type:
- 7 = IPv4 range
- 8 = IPv6 range
Encrypted payload substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Initialization Vector /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Encrypted IKE Payloads \
/ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ | \
+-+-+-+-+-+-+-+-+ Padding (0-255 octets) +-+-+-+-+-+-+-+-+
\ | Pad Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Integrity Checksum Data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Configuration payload substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Config type | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R| Attribute type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Value /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Config types:
- 1 = request
- 2 = reply
- 3 = set
- 4 = ack
Attribute types:
- 1 = IPv4 address
- 2 = IPv4 mask
- 3 = IPv4 DNS
- 4 = IPv4 NBNS
- 6 = IPv4 DHCP
- 7 = application version
- 8 = IPv6 address
- 10 = IPv6 DNS
- 12 = IPv6 DHCP
- 13 = IPv4 subnet
- 14 = supported attributes
- 15 = IPv6 subnet
Encrypted fragment payload substructure
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Fragment Number | Total Fragments |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Initialization Vector /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Encrypted content \
/ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ | \
+-+-+-+-+-+-+-+-+ Padding (0-255 octets) +-+-+-+-+-+-+-+-+
\ | Pad Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Integrity Checksum Data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Next payload for all fragments, except the first, is 0
Fragment number: starts with 1
IKEv2 message flow
IKE_SA_INIT
initiator responder
SA_i1, KE_i, N_i
------------------------------>
Sa_r1, KE_r, N_r, [CertReq]
<------------------------------
KE – key exchange material
N – nonce
IKE_SA_INIT, failed DH
initiator responder
SA_i1, KE_i, N_i
------------------------------>
N(INVALID_KE_PAYLOAD)
<------------------------------
SA_i1, KE_i, N_i
------------------------------>
Sa_r1, KE_r, N_r, [CertReq]
<------------------------------
IKE_SA_INIT, cookie
initiator responder
SA_i1, KE_i, N_i
------------------------------>
N(Cookie)
<------------------------------
N(Cookie), SA_i1, KE_i, N_i
------------------------------>
Sa_r1, KE_r, N_r, [CertReq]
<------------------------------
Cookie = <VersionID of Secret> | hash(N_i, IP_i, SPI_i | <secret>)
IKE_AUTH
initiator responder
SK{ID_i, [Cert], [CertReq], [AUTH], SA_i2, TS_i, TS_r}
----------------------------------------------------------->
SK{ID_r, [Cert], [AUTH], SA_r2, TS_i, TS_r}
<-----------------------------------------------------------
No AUTH if EAP is used (indicator of using EAP)
AUTH for asymmetric cryptography = PRF(SK_p, identification substructure)
AUTH for PSK = PRF(PRF(secret, “Key Pad for IKEv2”), IKE msg with headers)
CREATE_CHILD_SA, extra SA
initiator responder
SK{SA_i, N_i, [KE_i], TS_i, TS_r}
-------------------------------------->
SK{SA_r, N_r, [KE_r], TS_i, TS_r}
<--------------------------------------
Key material = PRF(SK_d, N_i|N_r)
Key material = PRF(SK_d, g^ir_new|N_i|N_r) – PFS
CREATE_CHILD_SA, IKEv2 rekey
initiator responder
SK{SA_i, N_i, KE_i}
------------------------>
SK{SA_r, N_r, KE_r}
<------------------------
SKEYSEED = PRF(SK_d_old, g^ir_new|N_i|N_r)
CREATE_CHILD_SA, Child SA rekey
initiator responder
SK{N(REKEY_SA), SA_i, N_i, KE_i, TS_i, TS_r}
------------------------------------------------->
SK{SA_r, N_r, KE_r, TS_i, TS_r}
<-------------------------------------------------
Accounting
initiator responder RADIUS
IKE_AUTH
------------>
IKE_AUTH
<------------
Accounting-Start
-------------------------------------------->
peer IP, IKE ID, audit session ID
N(DELETE)
<------------
Accounting-Stop
-------------------------------------------->
IP addr, IKE ID, encr/decr pkt/byte count
IOS CLI
(config)# crypto ikev2 keyring <RING>
(config-ikev2-keyring)# peer <PEER>
; no DNS resolution, crypto-map only, initiator
(config-ikev2-keyring-peer)# hostname <NAME>
; IKE ID, responder only
(config-ikev2-keyring-peer)# identity
(config-ikev2-keyring-pper)# address <IP> <MASK>
(config-ikev2-keyring-pper)# pre-sahred-key local <LINE>
(config)# crypto ikev2 proposal <PROPOSAL>
; default = never, n - % of in-neg SA after which cookies are sent
(config-ikev2-proposal)# cookie-challenge <n>|always|never
(config)# aaa authorization network <LST> local
(config)# crypto ikev2 authorization policy <POLICY>
; any local address, global VRF by default
(config)# crypto ikev2 profile <PROFILE>
(config-ikev2-profile)# aaa authorization group cert|psk list <LST> <POLICY>
; dVTI after IKEv2 negotiation, not required if NHRP – trigger (spoke)
; mode auto overrides mode in virtual-template
(config-ikev2-profile)# virtual-template <n> [mode auto]
(config-ikev2-profile)# keyring local <RING>
; query-identity requests EAP ID, by default ≡ IKE ID, 1 local authC method, m remote authC methods
(config-ikev2-profile)# authentication local|remote pre-share|eap query-identity
(config-ikev2-profile)# aaa authentication eap <LIST>
(config-ikev2-profile)# pki trustpoint <TP>
; on default, force ≡ if no INITIAL_CONTACT, use 5-tuple + IKE ID to clean up stale entries
(config-ikev2-profile)# initial-contact [force]
(config)# interface virtual-template <n> type tunnel
(config-if)# ip nhrp network-id <m>
; default, NHRP works only with GRE!
(config-if)# tunnel mode gre ip
; encapsulation is based on initiator proposal
(config-if)# tunnel mode auto
; IOS 15.6(1), IPsec mixed mode
(config-if)# tunnel mode ipsec ipv4|ipv6 v6-overlay|v4-overlay
# show interface virtual-access <n> configuration
# show derived-config [interface virtual-access <n>]
# show ip route nhrp
; IPsec SA, profile, crypto map for tunnel protection
# show crypto sockets
; information about IKE and IPsec SA
# show crypto session
# show crypto ikev2 diagnose error
# debug vtemplate cloning
IOS CLI IKEv2 hub
; ≈ phase 3
(config-if)# ip nhrp redirect
; optional, if not set, the interface that received connection is used
(config-if)# tunnel source <intf>
IOS CLI IKEv2 spoke
(config)# interface tunnel 0
; creates dVTI on redirect instead of IKEv2 on hub
(config-if)# ip nhrp shortcut virtual-template <m>
(config)# interface virtual-template <m> type tunnel
; m must match if tunnel creates child tunnels
(config-if)# ip nhrp shortcut virtual-template <m>
; useful if prefix moves between spokes
(config-if)# ip nhrp redirect
IKEv2 notify
- INVALID_KE_PAYLOAD
- mismatch of DH groups
- lists supported DB groups
- non-authenticated
- initiator sends full set: attacker cannot setup SA with weak algorithms
- INITIAL_CONTACT
- responder can clean up stale entries about initiator before timeout on IKE negotiation
- useful after initiator reset
- no payload
- keepalive
- acknowledge DELETE (echoes keepalive, validation using msgid)
- NAT_DETECTION_IP
- data = SHA1(SPIs, src IP, dst IP, src port, dst port)
- REDIRECT
- REDIRECT_SUPPORTED: initiator
- REDIRECT: responder, IP/FQDN VPN GW
- REDIRECTED_FROM: initiator, original GW
- HTTP_CERT_LOOKUP_SUPPORTED
; permits HTTP lookup
(config)# crypto ikev2 http-url cert
; 200 default
(config)# crypto ikev2 certificate-cache <n>
; off default, number of in-neg SAs after which cookie is sent and required
(config)# crypto ikev2 cookie-challenge <n>
; 5 default
(config)# crypto ikev2 window <n>
IKEv2 key material generation
SKEYSEED = PRF(N_i|N_r, g^ir)
- g^ir – DH shared secret
HMAC = hash(key XOR opad, hash(key XOR ipad, text))
- ipad = 0x36|..<n>..|0x36
- opad = 0x5c|..<n>..|0x5c
- n – block size
Key multiplication:
- T1 = PRF(SKEYSEED, N_i|N_r|SPI_i|SPI_r|0x01)
- T_i = PRF(SKEYSEED, T_i-1|N_i|N_r|SPI_i|SPI_r|i)
- T1 = SK_d – derive new key for Child SA
- T2,T3 = SK_ai, SK_ar – authC, integrity
- T4,T5 = SK_ei, SK_er – encryption
- T6,T7 = SK_pi, SK_pr – derive key for authC AUTH payload for non-key generation EAP
KEYMAT = PRF(SK_d, N_i|N_r) – for IPsec SA
KEYMAT = PRF(SK_d, g^ir|N_i|N_r) – IPsec SA rekey
NAT-T
- keepalive to refresh NAT entry: no encrypted, 0xFF bytes in UDP payload
- tunnel mode not required for several spoke behind single NAT (in contrast with DMVPN) because tunnels are P2P (direct association of SA)
; off default, same in IKEv2 profile
(config)# crypto ikev2 nat keepalive <sec>
IKE NAT-T
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source port | Destination port = 4500 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Non-ESP Marker (0x00000000) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ IKE header /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
ESP NAT-T
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source port | Destination port = 4500 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ ESP data /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
MOBIKE
- RFC 4555
- not supported by IOS
- client can change IP without SA reset
Spoke-to-spoke tunnel
- like DMVPN Phase 3
- IGP can run on top
- requires GRE because IPsec cannot encapsulate NHRP
DPD
- on keepalive reception – retransmit back, validate on massage ID
- keepalive = empty INFORMATIONAL
- if no keepalives ⇒ 5 retransmit ⇒ peer dead
- mode
- periodic
- on-demand: if there is outbound traffic and no inbound
- recommended for spoke only, hub can clean up stale entries on reconnect via INITIAL_CONTACT
; off default, n – transmit, m retransmit, sec
(config-ikev2-profile)# dpd <n> <m> on-demand|periodic
IKEv2 call admission control
- default: 40 incoming, 400 outgoing sessions
(config)# crypto ikev2 limit max-sa <n>
(config)# crypto ikev2 limit max-in-negotiation-sa <n> [incoming|outgoing]
# show crypto ikev2 stats
IKEv2 fragmentation
- exchange of IKEV2_FRAGMENTATION_SUPPORTED in IKE_SA_INIT
- fragmentation of IKE level instead of IP ⇒ protection from DoS because of IP reassembly
- modes
- Cisco
- fragmentation after encryption
- fragment number and fragment count are encrypted
- uses Vendor ID payload
- IETF
- fragmentation before encryption
- fragment number and fragment count – clear text
- preferred
- IOS 15.2(2), XE 3.15
- Cisco
; off, 576 for IPv4 and 1280 for IPv6 by default
(config)# crypto ikev2 fragmentation [mtu <bytes>]
# show crypto ikev2 sa detailed
SGT
- uses vendor ID, type CISCO-CTS-SGT – ignored if not supported
- CMD = 99 in ESP next-payload
- IPsec VTI only (bug: cannot look into GRE ≡ does not see CMD)
- if fragmented, only the first packet is prepended with CMD
PKI
- can tear down sessions on receiving CRL, authC for revoked certificates
- can tie SA lifetime to certificate validity period
- passes URL for certificate lookup in SIA (subject information access)
- headend name verification by SAN (subject alternative name) → by CN
- trustpoint selection
- hash
- first in IKEv2 profile ≡ fallback
; URL for certificate lookup, n – number to send instead of certificate chain
(ca-trustpoint)# match certificate <CERTMAP> override sia <n> <URL>
; off default, tear down session because of CRL
(config)# crypto ikev2 disconnect-revoked-peers
; on default
(config-ikev2-profile)# lifetime certificate
Name mangler
- translates IKE ID (string) into AAA username (string) for authZ and keyring after authC (same with EAP ID)
- FQDN, email, DN, EAP ID
AAA DB initiator responder AAA DB
(local, external) (local, external)
IKE_AUTH
---------------> AuthZ request
---------------->
AuthZ response
IKE_AUTH <----------------
AuthZ request <---------------
<---------------
AuthZ response
--------------->
(config)# crypto ikev2 name-mangler <MANGLER>
; if AAA local, username ≡ authZ policy
(config-ikev2-profile)# aaa authorization group psk list <AAA> <USERNAME>
(config-ikev2-profile)# aaa authorization group psk list <AAA> name-mangler <MANGLER>
; implicit authZ, uses attributes from EAP/AAA keyring
(config-ikev2-profile)# aaa authorization group psk list <AAA> cached
AuthZ
- cache AAA attributes, received with authC EAP or AAA keyring – implicit authZ; if cache not configured – ignore
- attribute reception order
- implicit
- group
- user
- attribute priority
- override: group > user > implicit
- user
- implicit
- group
(config-ikev2-profile)# aaa authorization group override psk list <AAA> <USERNAME>
Configuration
- models
- pull
- CFG_REQUEST, CFG_REPLY in IKE_AUTH
- on default
- push
- CFG_SET, CFG_ACK in INFORMATIONAL
- on default
- the only way for initiator to pass configuration
- if request is not received, responder uses for configuration
- pull
- attributes (TLV)
- standard
- Cisco unity: AnyConnect, FlexVPN client
- FlexVPN: FlexVPN client
- IP address selection
- Framed IP address
- received via RADIUS → requires accounting for deallocation later
- Framed-pool (= local pool)
- DHCP server
- Framed IP address
(config)# crypto ikev2 authorization policy <POLICY>
; interface address is passed as static route, auto-redistributed into IGP
(config-ikev2-author-policy)# route set interface
; ACL sets subnets to pass, may be non-existent, auto-redistributed into IGP
(config-ikev2-author-policy)# route set access-list <ACL>
(config-ikev2-author-policy)# route accept any [tag <n>] [distance <AD>]
; spoke receive addresses from pool (ip address negotiated)
(config-ikev2-author-policy)# pool <IP_POOL>
; spokes receive domain name
(config-ikev2-author-policy)# def-domain <DOMAIN>
; max number of SA on dVTI
(config-ikev2-author-policy)# ipsec flow-limit <n>
(config-ikev2-author-policy)# session-lifetime <sec>
EAP
- certificate-based authC for responder
- master session key (MSK)
- PSK for authC
- after EAP authC initiator and responder authenticate each other via MSK – active MITM protection
- EAP methods
- key generating: provides MSK
- non-key generating: uses SK_pi and SK_pr as PSK, vulnerable to active MITM (same as with DH)
- AnyConnect and MS IKEv2 client expect EAP Identity Request ⇒ require query-identity
- EAP-based authC indicator – no payload in AUTH
(config-ikev2-profile)# authentication remote eap [query-identity]
; 90 default, acceptable delay between EAP Request and Response – time for user input
(config-ikev2-profile)# authentication remote eap timeout <sec>
EAP flow, IKEv2 ID ≡ EAP ID
initiator responder RADIUS
(signature-based
authentication)
SA_i1, KE_i, N_i
---------------------------------------------------->
SA_r1, KE_r, N_r, [CertReq]
<----------------------------------------------------
SK{ID_i, [Cert], [CertReq], SA_i2, TS_i, TS_r}
---------------------------------------------------->
Access-Request(EAP ID = ID_i)
------------------------------>
Access-Challenge(EAP-method)
<------------------------------
SK{ID_r, [Cert], AUTH, EAP(EAP-method)}
<----------------------------------------------------
SK{EAP(EAP-method)}
---------------------------------------------------->
Access-Request(EAP-method)
------------------------------>
Access-Accept(EAP_Success)
<------------------------------
SK{EAP-Success}
<----------------------------------------------------
SK{AUTH} --+
----------------------------------------------------> |
SK{AUTH, SA_r2, TS_i, TS_r} | AUTH – on MSK
<---------------------------------------------------- |
--+
No AUTH in IKE_AUTH ≡ use EAP
ID_r, Cert – only in the first IKE_AUTH
EAP, Query identity
initiator responder RADIUS
(signature-based
authentication)
SA_i1, KE_i, N_i
---------------------------------------------------->
SA_r1, KE_r, N_r, [CertReq]
<----------------------------------------------------
SK{ID_i, [Cert], [CertReq], SA_i2, TS_i, TS_r}
---------------------------------------------------->
SK{ID_r, [Cert], AUTH, EAP-Request(Identity)}
<----------------------------------------------------
SK{EAP(EAP-Response(Identity))}
---------------------------------------------------->
Access-Request(EAP ID)
------------------------------>
Access-Challenge(EAP-method)
<------------------------------
SK{ID_r, [Cert], AUTH, EAP(EAP-method)}
<----------------------------------------------------
SK{EAP(EAP-Response(EAP-method))}
---------------------------------------------------->
Access-Request(EAP-method)
------------------------------>
Access-Accept(EAP_Success)
<------------------------------
SK{EAP-Success}
<----------------------------------------------------
SK{AUTH} --+
----------------------------------------------------> |
SK{AUTH, SA_r2, TS_i, TS_r} | AUTH – on MSK
<---------------------------------------------------- |
--+
AnyConnect-EAP
- information exchange via XML
- local DB authC is possible, external AAA not required
- not pass-through, EAP session is terminated on responder
- SK_pi and SK_pr as PSK, vulnerable to active MITM if responder certificate is compromised
(config-ikev2-profile)# authentication remote anyconnect-eap aggregate [cert-request]
(config-ikev2-profile)# aaa authentication anyconnect-eap <LIST>
; NAME = <IKEIdentity> in AnyConnect profile
(config-ikev2-profile)# match identity remote key-id <NAME>
AnyConnect responder RADIUS
IKE_SA_INIT
---------------------------------------->
VID(AnyConnectEAP), VID(CiscoCopyright)
IKE_AUTH
---------------------------------------->
IKE_AUTH
<----------------------------------------
<config-auth-type = "hello">
IKE_AUTH
---------------------------------------->
<config-auth-type = "init">
IKE_AUTH
<----------------------------------------
<config-auth-type = "auth-request">
IKE_AUTH
---------------------------------------->
<config-auth-type = "auth-reply">
Access-Request
------------------------------>
Access-Response
<------------------------------
IKE_AUTH
<----------------------------------------
<config-auth-type = "complete">
IKE_AUTH
---------------------------------------->
<config-auth-type = "ack">
IKE_AUTH(EAP-Success)
<----------------------------------------
IKE_AUTH(PSK)
<--------------------------------------->
Virtual-access interface
- configuration source
- virtual-template
- AAA authZ: “interface-config” VSA
- group
- implicit
- user
- incoming IKE session
- configuration from previous steps is overwritten if possible or not applied
(config)# aaa attribute list <ATTR>
(config-attr-list)# attribute type interface-config <STRING>
(crypto-ikev2-author-policy)# aaa attribute list <ATTR>
# debug vtemplate cloning
CoA/PoD
- CoA = change of authorization
- PoD = packet of disconnect
- DAC = dynamic authorization client, sends unsolicited CoA/PoD
- UDP 3799
- actions:
- interface-config
- sub-policy-in/sub-policy-out: QoS (service-policy input/output), policy must be defined in advance
- inacl, outacl: defines ACE
; IKE ID
# show crypto ikev2 sa detail
; audit session ID for PoD/CoA
# show aaa user all | begin <IKE ID>
# debug aaa coa
Auto-reconnect
- AnyConnect client
- does not require user to retype credentials, does not cache credentials
- reauthC on negotiated PSK ≡ session token, quicker than certificate-based
- preserves authZ attributes
- authC
- AnyConnect: EAP, certificate
- server: certificate
- does not work after reboot (client or server), timeout, manual disconnect
- client support indicator – request in CFG_REQUEST for proprietary attributes
- reconnect-session-id: used by client as IKE ID on reconnect
- reconnect-token-id: PSK for reconnect
- reconnect-dpd-interval: auto-enabled, 30s default
- reconnect-cleanup-interval
; off default, 30 mins default
(config-ikev2-profile)# reconnect [timeout <sec>]
AnyConnect Server
IKE_AUTH(CFG_REQUEST)
------------------------------>
IKE_AUTH(CFG_REPLY)
<------------------------------
<active>
DPD
<-------------XXX------------->
<inactive>
preserve state
IKE_AUTH(PSK = Session-token)
------------------------------>
IKE ID = Session-ID
<active>
IKE_AUTH
<------------------------------
MFA
- methods
- AnyConnect-EAP
- IKEv1 XAuth: first – device authC (certificate), then user authC (certificate, PSK)
- IKEv2 RFC4739
- if VPN-as-a-Service:
- provider – device authC for billing
- client’s AAA – user authC
AnyConnect responder RADIUS
IKE_AUTH response
<-------------------------------------
Cert, AUTH, EAP-Request("hello")
IKE_AUTH request
------------------------------------->
EAP-Response("init")
IKE_AUTH
<-------------------------------------
"auth-request", "client-cert-auth"
IKE_AUTH
------------------------------------->
{Cert}, {EAP-AUTH}, "init"
device authC
IKE_AUTH
<-------------------------------------
"auth-request"
IKE_AUTH
------------------------------------->
"auth-reply"
Access-Request
------------------------------>
Access-Response
<------------------------------
IKE_AUTH
<-------------------------------------
"complete"
IKE_AUTH
------------------------------------->
"ack"
Clients
- Windows
- sends IP or email as IKE ID
- uses EKU certificate field (extended key usage)
- AnyConnect
- uses EKU
- server SubjectAltName – IP or FQDN
- FlexVPN
- device-based remote-access
- uses client profile (tunnel interface without destination)
- sends VID: FLEXVPN-SUPPORTED, CISCO-DELETE-REASON
- Strongswan
; uses DNS, WINS from responder
(dhcp-config)# import all
(config)# crypto ikev2 client flexvpn <NAME>
; if backup GW is received from IP, it is inserted in the list after IP: IP-A, IP-B, IP-B.2, ...
(config-ikev2-flexvpn)# peer <n> <IP>
; immediate FQDN→IP resolution, dynamic = on first connect attempt, stored in running
(config-ikev2-flexvpn)# peer <n> <FQDN> [dynamic] [track <n>]
; off default, allows reconnect to preferred peer if track becomes up
(config-ikev2-flexvpn)# peer reactivate
; if connection within group exists, do not establish a new connection
(config-ikev2-flexvpn)# backup group <n>
(config-ikev2-flexvpn)# connect auto|manual|track <n>
(config-ikev2-flexvpn)# client connect <tunnel>
(config-ikev2-flexvpn)# client inside <intf>
; interface for tunnel source
(config-ikev2-flexvpn)# source <n> <interface> track <m>
# show crypto ikev2 client flexvpn
# crypto ikev2 client flexvpn connect [<NAME>]
; for manual – clear SA, for auto/track – CREATE_CHILD_SA
# clear crypto ikev2 client flexvpn [<NAME>]
Load-balancing
- based on IKEv2 redirect and HSRP (vIP – address for remote-access) with FlexVPN client or AnyConnect
- redirect
- IKE_SA_INIT: before DH (saves CPU cycles)
- IKE_AUTH: on client authC
- HSRP active ≡ cluster master
- roles
- master: collects load from slaves and distributes requests
- slave
- load
- system: RAM used, average CPU over 5s
- crypto: IPsec SA, IKEv2 SA, CAC limit
- overload limit: on exceeding does not receive new connections
- priority: the more priority is, the less load seems
- Cisco Load-balancing protocol (CLB)
- TCP 2012
- slaves send their load to master
- discovery through HSRP
- timers
- hello: 1s default
- hold: 3 x hello default
- report: 3s default
; responder
(config)# crypto ikev2 redirect gateway init|auth
; initiator, 5 default
(config)# crypto ikev2 client redirect [max-redirects <n>]
(config)# crypto ikev2 cluster
(config-ikev2-cluster)# standby-group <NAME>
(config-ikev2-cluster)# no shutdown
; max IPsec, IKEv2 SA, 10 default
(config-ikev2-cluster)# slave max-session <n>
; 3000 default
(config-ikev2-cluster)# holdtime <ms>
; 2012 default
(config-ikev2-cluster)# port <n>
; 1000 default
(config-ikev2-cluster)# slave hello <ms>
; 3000 default
(config-ikev2-cluster)# slave update <ms>
(config-ikev2-cluster)# slave priority <n>
; 100 default, the higher, the more load attracted
(config-ikev2-cluster)# master weight crypto-load <n>
(config-ikev2-cluster)# master weight system-load <n>
; 90% default
(config-ikev2-cluster)# overload-limit <n>
Design
- IGP should have more aggressive timers than IKE: otherwise blackholing
- IKE keepalive is always required, otherwise stale sessions hold resources
- quantum-resistant: AES-256, SHA-384, SHA-512
- several IKE rekey rounds before production use – rekey and PFS verification
- to avoid drops for out-of-order packets, move them to separate SA (e.g. voice, video, data)