larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

Best Value Purchase

Book + eBook Bundle

  • Your Price: $73.69
  • List Price: $126.98
  • We're temporarily out of stock, but order now and we'll send it to you later.
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Individual Purchases

Book

  • Your Price: $51.99
  • List Price: $64.99
  • We're temporarily out of stock, but order now and we'll send it to you later.

eBook

  • Your Price: $49.59
  • List Price: $61.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • Description
  • Sample Content
  • Updates
  • Copyright 2017
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 656
  • Edition: 1st
  • Book
  • ISBN-10: 1-58714-460-3
  • ISBN-13: 978-1-58714-460-8

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN

The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.

The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.

IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.

  • Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
  • Implement modern secure VPNs with Cisco IOS and IOS-XE
  • Plan and deploy IKEv2 in diverse real-world environments
  • Configure IKEv2 proposals, policies, profiles, keyrings, and authorization
  • Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
  • Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
  • Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
  • Deploy, configure, and customize FlexVPN clients
  • Configure, manage, and troubleshoot the FlexVPN Load Balancer
  • Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
  • Monitor IPsec VPNs with AAA, SNMP, and Syslog
  • Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
  • Calculate IPsec overhead and fragmentation
  • Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more

Online Sample Chapter

IKEv2 Deployments

Sample Pages

Download the sample pages (includes Chapter 7 and the Index.)

Table of Contents

Foreword xxvii

Introduction xxxiii

Part I Understanding IPsec VPNs

Chapter 1 Introduction to IPsec VPNs 1

The Need and Purpose of IPsec VPNs 2

Building Blocks of IPsec 2

Security Protocols 2

Security Associations 3

Key Management Protocol 3

IPsec Security Services 3

Access Control 4

Anti-replay Services 4

Confidentiality 4

Connectionless Integrity 4

Data Origin Authentication 4

Traffic Flow Confidentiality 4

Components of IPsec 5

Security Parameter Index 5

Security Policy Database 5

Security Association Database 6

Peer Authorization Database 6

Lifetime 7

Cryptography Used in IPsec VPNs 7

Symmetric Cryptography 7

Asymmetric Cryptography 8

The Diffie-Hellman Exchange 8

Public Key Infrastructure 11

Public Key Cryptography 11

Certificate Authorities 12

Digital Certificates 12

Digital Signatures Used in IKEv2 12

Pre-Shared-Keys, or Shared Secret 13

Encryption and Authentication 14

IP Authentication Header 15

Anti-Replay 16

IP Encapsulating Security Payload (ESP) 17

Authentication 18

Encryption 18

Anti-Replay 18

Encapsulation Security Payload Datagram Format 18

Encapsulating Security Payload Version 3 19

Extended Sequence Numbers 19

Traffic Flow Confidentiality 20

Dummy Packets 20

Modes of IPsec 20

IPsec Transport Mode 20

IPsec Tunnel Mode 21

Summary 22

References 22

Part II Understanding IKEv2

Chapter 2 IKEv2: The Protocol 23

IKEv2 Overview 23

The IKEv2 Exchange 24

IKE_SA_INIT 25

Diffie-Hellman Key Exchange 26

Security Association Proposals 29

Security Parameter Index (SPI) 34

Nonce 35

Cookie Notification 36

Certificate Request 38

HTTP_CERT_LOOKUP_SUPPORTED 39

Key Material Generation 39

IKE_AUTH 42

Encrypted and Authenticated Payload 42

Encrypted Payload Structure 43

Identity 44

Authentication 45

Signature-Based Authentication 46

(Pre) Shared-Key-Based Authentication 47

EAP 48

Traffic Selectors 50

Initial Contact 52

CREATE_CHILD_SA 53

IPsec Security Association Creation 53

IPsec Security Association Rekey 54

IKEv2 Security Association Rekey 54

IKEv2 Packet Structure Overview 55

The INFORMATIONAL Exchange 56

Notification 56

Deleting Security Associations 57

Configuration Payload Exchange 58

Dead Peer Detection/Keepalive/NAT Keepalive 59

IKEv2 Request Response 61

IKEv2 and Network Address Translation 61

NAT Detection 64

Additions to RFC 7296 65

RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65

RFC 5685 Redirect Mechanism for the Internet Key Exchange

Protocol Version 2 (IKEv2) 65

RFC 6989 Additional Diffie-Hellman Tests for the Internet Key

Exchange Protocol Version 2 (IKEv2) 65

RFC 6023 A Childless Initiation of the Internet

Key Exchange Version 2 (IKEv2) Security Association (SA) 66

Summary 66

References 66

Chapter 3 Comparison of IKEv1 and IKEv2 67

Brief History of IKEv1 67

Exchange Modes 69

IKEv1 70

IKEv2 71

Anti-Denial of Service 72

Lifetime 72

Authentication 73

High Availability 74

Traffic Selectors 74

Use of Identities 74

Network Address Translation 74

Configuration Payload 75

Mobility & Multi-homing 75

Matching on Identity 75

Reliability 77

Cryptographic Exchange Bloat 77

Combined Mode Ciphers 77

Continuous Channel Mode 77

Summary 77

References 78

Part III IPsec VPNs on Cisco IOS

Chapter 4 IOS IPsec Implementation 79

Modes of Encapsulation 82

GRE Encapsulation 82

GRE over IPsec 83

IPsec Transport Mode with GRE over IPsec 83

IPsec Tunnel mode with GRE over IPsec 84

Traffic 85

Multicast Traffic 85

Non-IP Protocols 86

The Demise of Crypto Maps 86

Interface Types 87

Virtual Interfaces: VTI and GRE/IPsec 87

Traffic Selection by Routing 88

Static Tunnel Interfaces 90

Dynamic Tunnel Interfaces 91

sVTI and dVTI 92

Multipoint GRE 92

Tunnel Protection and Crypto Sockets 94

Implementation Modes 96

Dual Stack 96

Mixed Mode 96

Auto Tunnel Mode 99

VRF-Aware IPsec 99

VRF in Brief 99

VRF-Aware GRE and VRF-Aware IPsec 101

VRF-Aware GRE over IPsec 102

Summary 103

Reference 104

Part IV IKEv2 Implementation

Chapter 5 IKEv2 Configuration 105

IKEv2 Configuration Overview 105

The Guiding Principle 106

Scope of IKEv2 Configuration 106

IKEv2 Configuration Constructs 106

IKEv2 Proposal 107

Configuring the IKEv2 Proposal 108

Configuring IKEv2 Encryption 111

Configuring IKEv2 Integrity 113

Configuring IKEv2 Diffie-Hellman 113

Configuring IKEv2 Pseudorandom Function 115

Default IKEv2 Proposal 115

IKEv2 Policy 117

Configuring an IKEv2 Policy 118

Configuring IKEv2 Proposals under IKEv2 Policy 119

Configuring Match Statements under IKEv2 Policy 120

Default IKEv2 Policy 121

IKEv2 Policy Selection on the Initiator 122

IKEv2 Policy Selection on Responder 124

IKEv2 Policy Configuration Examples 125

Per-peer IKEv2 Policy 125

IKEv2 Policy with Multiple Proposals 126

IKEv2 Keyring 128

Configuring IKEv2 Keyring 129

Configuring a Peer Block in Keyring 130

Key Lookup on Initiator 132

Key Lookup on Responder 133

IKEv2 Keyring Configuration Example 134

IKEv2 Keyring Key Points 136

IKEv2 Profile 136

IKEv2 Profile as Peer Authorization Database 137

Configuring IKEv2 Profile 138

Configuring Match Statements in IKEv2 Profile 139

Matching any Peer Identity 142

Defining the Scope of IKEv2 Profile 143

Defining the Local IKE Identity 143

Defining Local and Remote Authentication Methods 145

IKEv2 Dead Peer Detection 149

IKEv2 Initial Contact 151

IKEv2 SA Lifetime 151

NAT Keepalives 152

IVRF (inside VRF) 152

Virtual Template Interface 153

Disabling IKEv2 Profile 153

Displaying IKEv2 Profiles 153

IKEv2 Profile Selection on Initiator and Responder 154

IKEv2 Profile Key Points 154

IKEv2 Global Configuration 155

HTTP URL-based Certificate Lookup 156

IKEv2 Cookie Challenge 156

IKEv2 Call Admission Control 157

IKEv2 Window Size 158

Dead Peer Detection 158

NAT Keepalive 159

IKEv2 Diagnostics 159

PKI Configuration 159

Certificate Authority 160

Public-Private Key Pair 162

PKI Trustpoint 163

PKI Example 164

IPsec Configuration 166

IPsec Profile 167

IPsec Configuration Example 168

Smart Defaults 168

Summary 169

Chapter 6 Advanced IKEv2 Features 171

Introduction to IKEv2 Fragmentation 171

IP Fragmentation Overview 172

IKEv2 and Fragmentation 173

IKEv2 SGT Capability Negotiation 178

IKEv2 Session Authentication 181

IKEv2 Session Deletion on Certificate Revocation 182

IKEv2 Session Deletion on Certificate Expiry 184

IKEv2 Session Lifetime 185

Summary 187

References 188

Chapter 7 IKEv2 Deployments 189

Pre-shared-key Authentication with Smart Defaults 189

Elliptic Curve Digital Signature Algorithm Authentication 194

RSA Authentication Using HTTP URL Lookup 200

IKEv2 Cookie Challenge and Call Admission Control 207

Summary 210

Part V FlexVPN

Chapter 8 Introduction to FlexVPN 211

FlexVPN Overview 211

The Rationale 212

FlexVPN Value Proposition 213

FlexVPN Building Blocks 213

IKEv2 213

Cisco IOS Point-to-Point Tunnel Interfaces 214

Configuring Static P2P Tunnel Interfaces 214

Configuring Virtual-Template Interfaces 216

Auto-Detection of Tunnel Encapsulation and Transport 219

Benefits of Per-Peer P2P Tunnel Interfaces 221

Cisco IOS AAA Infrastructure 221

Configuring AAA for FlexVPN 222

IKEv2 Name Mangler 223

Configuring IKEv2 Name Mangler 224

Extracting Name from FQDN Identity 225

Extracting Name from Email Identity 226

Extracting Name from DN Identity 226

Extracting Name from EAP Identity 227

IKEv2 Authorization Policy 228

Default IKEv2 Authorization Policy 229

FlexVPN Authorization 231

Configuring FlexVPN Authorization 233

FlexVPN User Authorization 235

FlexVPN User Authorization, Using an External AAA Server 235

FlexVPN Group Authorization 237

FlexVPN Group Authorization, Using a Local AAA Database 238

FlexVPN Group Authorization, Using an External AAA Server 239

FlexVPN Implicit Authorization 242

FlexVPN Implicit Authorization Example 243

FlexVPN Authorization Types: Co-existence and Precedence 245

User Authorization Taking Higher Precedence 247

Group Authorization Taking Higher Precedence 249

FlexVPN Configuration Exchange 250

Enabling Configuration Exchange 250

FlexVPN Usage of Configuration Payloads 251

Configuration Attributes and Authorization 253

Configuration Exchange Examples 259

FlexVPN Routing 264

Learning Remote Subnets Locally 265

Learning Remote Subnets from Peer 266

Summary 268

Chapter 9 FlexVPN Server 269

Sequence of Events 270

EAP Authentication 271

EAP Methods 272

EAP Message Flow 273

EAP Identity 273

EAP Timeout 275

EAP Authentication Steps 275

Configuring EAP 277

EAP Configuration Example 278

AAA-based Pre-shared Keys 283

Configuring AAA-based Pre-Shared Keys 284

RADIUS Attributes for AAA-Based Pre-Shared Keys 285

AAA-Based Pre-Shared Keys Example 285

Accounting 287

Per-Session Interface 290

Deriving Virtual-Access Configuration from a Virtual Template 291

Deriving Virtual-Access Configuration from AAA Authorization 293

The interface-config AAA Attribute 293

Deriving Virtual-Access Configuration from an Incoming Session 294

Virtual-Access Cloning Example 295

Auto Detection of Tunnel Transport and Encapsulation 297

RADIUS Packet of Disconnect 299

Configuring RADIUS Packet of Disconnect 300

RADIUS Packet of Disconnect Example 301

RADIUS Change of Authorization (CoA) 303

Configuring RADIUS CoA 304

RADIUS CoA Examples 305

Updating Session QoS Policy, Using CoA 305

Updating the Session ACL, Using CoA 307

IKEv2 Auto-Reconnect 309

Auto-Reconnect Configuration Attributes 310

Smart DPD 311

Configuring IKEv2 Auto-Reconnect 313

User Authentication, Using AnyConnect-EAP 315

AnyConnect-EAP 315

AnyConnect-EAP XML Messages for User Authentication 316

Configuring User Authentication, Using AnyConnect-EAP 318

AnyConnect Configuration for Aggregate Authentication 320

Dual-factor Authentication, Using AnyConnect-EAP 320

AnyConnect-EAP XML Messages for dual-factor authentication 322

Configuring Dual-factor Authentication, Using AnyConnect-EAP 324

RADIUS Attributes Supported by the FlexVPN Server 325

Remote Access Clients Supported by FlexVPN Server 329

FlexVPN Remote Access Client 329

Microsoft Windows7 IKEv2 Client 329

Cisco IKEv2 AnyConnect Client 330

Summary 330

Reference 330

Chapter 10 FlexVPN Client 331

Introduction 331

FlexVPN Client Overview 332

FlexVPN Client Building Blocks 333

IKEv2 Configuration Exchange 334

Static Point-to-Point Tunnel Interface 334

FlexVPN Client Profile 334

Object Tracking 334

NAT 335

FlexVPN Client Features 335

Dual Stack Support 335

EAP Authentication 335

Dynamic Routing 335

Support for EzVPN Client and Network Extension Modes 336

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020