Creating an SSL VPN
Problem
You want to create an SSL VPN using Cisco's WebVPN services on an IOS router.
Solution
You can configure a simple SSL VPN on a router, essentially constructing an HTTPS portal that includes simple port forwarding:
Core#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Core(config)#hostname Core Core(config)#ip domain-name oreilly.com Core(config)#aaa new-model Core(config)#aaa authentication login local_auth local Core(config)#username ijbrown secret ianspassword Core(config)#username kdooley secret kevinspassword Core(config)#crypto pki trustpoint WEBVPN Core(ca-trustpoint)#enrollment selfsigned Core(ca-trustpoint)#rsakeypair WEBVPN 1024 Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly Core(ca-trustpoint)#exit Core(config)#crypto pki enroll WEBVPN The router has already generated a Self Signed Certificate for trustpoint TP-self-signed-3299111097. If you continue the existing trustpoint and Self Signed Certificate will be deleted. Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created Core(config)#interface Loopback0 Core(config-if)#ip address 172.25.100.2 255.255.255.255 Core(config-if)#exit Core(config)#webvpn enable gateway-addr 172.25.100.2 Core(config)# Core(config)#webvpn Core(config-webvpn)#ssl trustpoint WEBVPN Core(config-webvpn)#ssl encryption 3des-sha1 Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal" Core(config-webvpn)#url-list COOKBOOKURLS Core(config-webvpn-url)#heading "Cookbook URLs" Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/" Core(config-webvpn-url)#url-text "Perl Cookbook" url-value "http://www.oreilly.com/catalog/perlckbk2/" Core(config-webvpn-url)#heading "Cisco URLs" Core(config-webvpn-url)#url-text "The Books" url-value "http://www.oreilly.com/pub/topic/cisco" Core(config-webvpn-url)#exit Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23 Core(config-webvpn)#exit Core(config)#end Core#
|
Discussion
We should start by stressing that the Secure Socket Layer (SSL) WebVPN options available on an IOS router are severely limited compared to those available on dedicated VPN concentrator devices, such as the Cisco VPN 3000 series devices. In particular, the IOS version of WebVPN only supports SSL Version 3, and not Transport Layer Security (TLS), it doesn't support Cisco Security Desktop (CSD) or Cisco SSL VPN Client software, and it doesn't support Macromedia Flash URLs.
On the client side, you can run essentially any SSL-enabled browser such as Mozilla, Firefox, Internet Explorer, or Netscape. For full functionality, you must also have Java enabled on the browser, as WebVPN uses Java to handle the application port forwarding through the browser.
We begin this recipe by specifying the router's name and the domain name. This is because, as we mentioned in Recipe 12.5, this information is required for the key generation process:
Core(config)#hostname Core Core(config)#ip domain-name oreilly.com
We then enable AAA, configure local user authentication, and define the usernames and passwords. Note that you could also use a Radius or TACACS+ server for this purpose, as we discuss in Chapter 4. If you have a lot of users, it is much easier to manage them on a central server:
Core(config)#aaa new-model Core(config)#aaa authentication login local_auth local Core(config)#username ijbrown secret ianspassword Core(config)#username kdooley secret kevinspassword
Next, we need to define the certificate that we will use for the SSL connection. For simplicity we will use a self-signed certificate. In general it is preferable to use a trusted certificate authority rather than self-signed certificates, but for a purely internal purpose like an SSL VPN portal for enterprise users, self-signed certificates should be fine.
First, we must define the properties of the certificate:
Core(config)#crypto pki trustpoint WEBVPN Core(ca-trustpoint)#enrollment selfsigned Core(ca-trustpoint)#rsakeypair WEBVPN 1024 Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly Core(ca-trustpoint)#exit
In this case, we have stipulated that the certificate is to be self-signed and that we want to use 1024-bit RSA keys. The subject-name command allows you to specify other options in the certificate. This example sets the Organization (O=) and Organizational Unit (OU=) fields.
Next we create the certificate:
Core(config)#crypto pki enroll WEBVPN The router has already generated a Self Signed Certificate for trustpoint TP-self-signed-3299111097. If you continue the existing trustpoint and Self Signed Certificate will be deleted. Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
As you can see, this router already had a self-signed certificate. You can only have one such certificate on a router at a time, so creating this new certificate has destroyed the old one.
This router happens to be running the HTTPS administrative access system, which is already listening on TCP port 443. Because the SSL VPN will also use this same port, we have to be careful to assign it to its own IP address. For this purpose, we have created a new Loopback interface. We then simultaneously enable the WebVPN feature and assign the address to the process by using the webvpn enable command:
Core(config)#interface Loopback0 Core(config-if)#ip address 172.25.100.2 255.255.255.255 Core(config-if)#exit Core(config)#webvpn enable gateway-addr 172.25.100.2
Next, we configure the actual HTTPS portal that users will see when they point their web browsers to this address. First we associate the SSL trustpoint with the certificate that we just defined, and then we specify that we will use Triple DES encryption with an SHA1 hash over the connection:
Core(config)# Core(config)#webvpn Core(config-webvpn)#ssl trustpoint WEBVPN Core(config-webvpn)#ssl encryption 3des-sha1
Other encryption methods are available, including single DES with SHA1 hashing:
Core(config-webvpn)#ssl encryption des-sha1
Or you can opt for RC4 encryption with an MD5 hash:
Core(config-webvpn)#ssl encryption rc4-md5
In our example, we opted for the most secure of the three options.
Then, if necessary, we can set up some links on the web page using the URLs of web sites to make it useful as a portal:
Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal" Core(config-webvpn)#url-list COOKBOOKURLS Core(config-webvpn-url)#heading "Cookbook URLs" Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"
There are many additional options available to make this web portal function more aesthetically pleasing on the screen, including the ability to alter colors and even include GIF or JPEG images. We encourage the reader to simply play with the different options and find a scheme that suits their organization.
And, most usefully, we can define port-forwarding rules:
Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23
In this example, we have configured only one very simple rule called SERVERLOGIN for telnet access to a particular server. Once the user has connected to this WebVPN screen, they can use their local telnet application and use it to connect to their own loopback address, 127.0.0.1, on the specified port20003, in this case. This connection is then intercepted by a Java application on their local system and redirected through the SSL connection and over to the destination IP address.
In a similar way, you could configure an email application to connect to a particular local port and the same workstation loopback address. Java will then redirect this traffic to the router, which will use another port-forwarding rule that you have defined to send it to the email server. For example, here is a rule for forwarding POP services:
Core(config-webvpn)#port-forward list POPEMAIL local-port 20004 remote-server 172.25.1.1 remote-port 110
In this case, your workstation's POP mail client would be directed to get its mail from the address 127.0.0.1 and TCP port 20004.
See Also
Chapter 4; Recipe 12.5