Cisco Firepower 2130 w/ASA code and Microsoft Windows 10 VPN client (Always On) using IKEv2 w/AES-128 with Machine certificate authentication.
Draft: #1
Hopefully this will help out anyone trying to get MS Windows 10 (always on) VPN working with ASA. I was having some issues online trying to find out more information on how to set this up. I got it working in my environment so figured I would try to share something I learned.
But Motavar why? Questions:
- Why Cisco ASA and not a MS VPN /RAS box. Unfortunately spinning up another set of VPN services results in additional systems to support. From servers, to network route changes, firewall changes, to border security, to ownership, documentation, everything. Sometimes it may be easier to point new VPN clients to an existing VPN headend (Cisco ASA) which is already setup.
- Why MS VPN Client. "Some People" wanted to move to Always on VPN over AnyConnect. Not my call..
Please Note:
- This documentation assumes your Cisco Firepower 2130 ASA is running 9.13.x code to support Appliance mode. I'm not going to go into details on how to do this..
- We are also assuming that under your "AnyConnect Connection Profiles" section you enabled "Allow user to select connection profile on the login page" is checked and you're using a custom connection profile for AnyConnect users.
NOTE: This is important since a custom profile for AnyConnect will make sure your users are not using the "DefaultRAGroup" for connetions.
NOTE2: 3rd party VPN clients such as the MS Windows 10 VPN client will be using the "DefaultRAGroup" for the connection. You have to make sure no other IPSec/AnyConnect clients will be connecting to this group. We are going to modify this for MS clients use only.
- We are assuming you rolled out Machine certs from a local CA. Also make sure your machine certs have a subject name field or else the connection will fail as the ASA uses the SN for tracking who connected. Without a Subject field you won't be able to connect.
- We are assuming you are using MS VPN Client for Windows 10 that supports IKEv2 w/PFS
- We are assuming most work is done in ASDM
Lets Begin!
NOTE: Some timers/settings may vary on your particular setup. So make changes as needed for your org. This is only a helpful framework to get you closer to getting your MS clients to connect. You know your environment so the changes you make and what you break... is on YOU.
Create a Group Policy:
------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Group Policies"
* In this example we are creating a Group Policy called "AOVPN" for Always On VPN.
So create group policy "AOVPN".
Inside of the policy setup set your max connection time to "unlimited" and Idle timeout to "30 Minutes"
* Setup your DNS, scopes, etc
IMPORTANT NOTE: This is required for PFS use: Failure to do this step will result in the VPN client failing to pass traffic after re-key event. The default MS VPN client IPSEC Child SA settings are 3600 seconds and /250000k.
* Go to Advanced section and down to IPSec(IKEV1) client. Enable PFS (perfect forward secrecy". While this is listed under the IKEv1 section it's actually used in the IKEv2 settings. Yah, Go Cisco!
Setup your IKEv2 Policies and IPSec Proposals
------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Advanced". Then down to "IPSec" tree item and down to "IKE Policies".
* Under IKEv2 Policies create an Entry as follows:
DH Group 14, Encryption AES, Integrity Hash "sha256" and Pseudo Random Function PRF hash "sha256" and lifetime 86400 seconds.
* Setup your IPsec Proposals (Transform Sets).
Go down a menu item to "IPsec Proposals (Transform Sets)."
Under IKE V2 IPsec Proposals:
create an entry with AES and Integrity Hash "sha-256"
Apply the IPSec Proposals to your Crypto Maps
-----------------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "Advanced". Then down to "IPSec" tree item and down to "Crypto Maps".
NOTE: This is important because while we created the IKEv2 settings they are not added to the dynamic crypto map for some reason..
* Find your "Dynamic: 65535.x" dynamic map for outside/inside and edit it:
Under the "Tunnel Policy (crypto map) - Basic" tab find the "ike v2 ipsec proposal" section and add in "AES-128/sha-256" IKEv2 proposal we created above.
* Put a check mark next to "Perfect Forwarding Secrecy " and select Diffie-Hellman Group: Group 14
Install your CA Certificate for Machine cert auth:
--------------
* From your Internal CA create a cert and install that onto the ASA
* In the ASDM go to the "remote access VPN" lower left menu then up to "Certificate Management"" at the top tree menu and down to "Identity Certificates". Pop in your cert and/or go up to CA certs and add it there. This is used for the machine cert authentication.
* Name the Associated Trustpoint something like "VPNMachineCert"
Setup the IPSec(IKEv2) Connection Profiles
-------------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to IPSec (IKEv2) Connection Profiles".
* Find "DefaultRAGroup" and check the box under "IKEv2 Enabled".
Edit the "DefaultRAGroup" and perform the following:
-Check box next to "Enable Certificate Authentication" under the IKE Peer Authentication section
-Check Box next to "Enable RSA signature Hash" under the RSA signature section. NOTE: This is used when AES is enabled in the MS VPN Client. If using default settings in the MS Client I believe this may not be used.
- In the IKE Local Authentication section: Check the box "Enable local authentication" and select "Certificate". In the dropdown box select the cert we want to use.. the trustpoint name would be "VPNMachineCert" or whatever you called it.
- User Authentication section server group would be LOCAL
- Setup your DHCP stuff..
- Default Group Policy: Select the group policy "AOVPN" that we created earlier. Make sure "Enable IKEv2 Protocol" is checked below that item.
- On the left menu tree go into the "Advanced" section and down to "Authorization". Under authorization section select "use the entire DN as the username".
I believe no other settings are required so okay and exit out.
Enable Interfaces for IKEv2
--------------------
* In the ASDM go to the "remote access VPN" lower left menu then up to "Network Client Access" at the top tree menu and down to "AnyConnect Connetion Profiles".
* Make sure "IPSec (IKEv2) Access is enabled on your inside/outside intefaces. So check mark "allow access" and "enable client services".
* Find the "DefaultRAGroup" and edit it. Confirm the following:
Authentication AAA/Local group
Confirm client address pools
Confirm the group policy is still "Aovpn"
confirm "enable IPSEC(ikev2) client protocol is checked and DNS/Domain info is in there.
NOTE: Most likely all this was already configured under the IKEV2 settinsg from before but doesn't hurt to check it here.
MS Windows 10 VPN client.
---------------
* Windows 10 - in your search bar type "VPN" and bring up the VPN settings.
* Create a VPN connection
VPN Provider: Windows (Built-in)
Connection name "VPN"
server: your ASA outside IP /DNS name
VPN Type: IKEv2
Type of sign-in info: certificate
check box next to rememebr my sign-in info.
Save that
* Go into your Windows 10 settings section and find "Network & Internet"
Select "change adapter options"
Find your VPN adapter and right-click it:
go to properties and over to the "Security" tab:
under the "Data Encryption" section move the check box to "use machine certificates".
Okay out and save that
Final steps...
Now we have to harden/change the VPN setup to use AES..
MS Windows 10 VPN client (harden)
------------------
* Command prompt /admin time.. so launch a command prompt
* Launch powershell
* Enter the following:
$connection = "VPN"
Set-VpnConnectionIPsecConfiguration -ConnectionName $connection -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
Launch the VPN client:
------------------
Click your windows network icon in the lower right and launch the VPN client and connect. Debug whatever you need to do on the ASA to confirm working.
AFTER TESTING CONNECTIVITY NOW ITS TIME FOR REVOCATION:
We save this for last since revocation can be a pita to test.
Setup Certificate Revocation
-------------------------
* Back into ASDM
* In the ASDM go to the "remote access VPN" lower left menu then up to "Certificate Management"" at the top tree menu and down to "CA Certificates".
* Find the Trust point for the Machine certs.. something like "VPNMachineCert"
* Edit the Trust Point:
under "revocation check" table enable "Check certificates for revocation".
Move CRL over to the right side.
* Under the "CRL retrieval policy"
Check box "use CRL distribution point from the certificate"
* Under the CRL retrieval method"
Disable LDAP
Enable HTTP
* Under the "advanced" tab:
update your cache timers. Mine is 60 mines
check box "enforce next crl update"
other options:
I have accept certs issued by this CA
Accept certs from the subordinate CAs of this CA
leave CRL check none: (we'll fix this)
And finally... to work around ADSM bug with Enabling the CRL check
-----------------
* SSH to your VPN gateway and enable yourself
* Config T
Enter into your trust point (example)
type: crypto ca trustpoint VPNUSER_CA
type: revocation-check crl
type: crl configure
type: no protocol ldap
Note: most likely no protocol ldap was already enabled but .. meh.. you have it again :)
NOTE2: Perform the steps above for any TrustPoints that have -1 or -2 or whatever else was created.
Revocation Time
------------
Have your server friends put your machine cert on hold.
Then have them push out the revocation to sub ca's
Then go into ASDM trust point and retrieve CRLS and confirm your client is blocked.
Then unrevoke, push out changes on server, retrieve CRLS on the ASA and test you can re-connect.
When Revocation/or un-revoke doesnt work:
------------------
When in doubt do the following:
Have the server team push out revocation changes to the Sub CAs or whatever they do (again).
Go into ASDM and over to the "Monitoring" tab at the top and down to "properties" in the lower left corner.
In the Tree menu find "CRL" and go into that section.
View ALL CRLs...
Delete /clear all CRLS
Go back to your trust point and update CRLs.
Test again after a minute.
Well.. I hope this helped someone?
I wish you all luck if you're crazy enough to do this..
And as always, stay safe out there and wear a mask :)
No comments:
Post a Comment