Cisco ezVPN with FreeRADIUS

It's been a while since I posted, but I have come across another comparatively poorly-documented part of the networking world. I struggled to find the answers to this, so here is a writeup that may help!

So, the idea is that I want to use ezVPN for remote sites dialling into a central point. However, rather than having my users configured locally on the hub router, I want to use RADIUS. However, I don't want to pay to use Cisco ACS server or Windows Server, so FreeRADIUS is the obvious open-source option.

Hub Router Configuration

The configuration on the router is fairly simple and well-documented. You will need an appropriate IOS with appropriate crypto functionality. In my case, I am using a Cisco CSR1000V in the cloud to test this. Below are the relevant parts of my configuration:

aaa group server radius VPN-RADIUS
 server-private <RADIUS Server IP> key <RADIUS Shared Secret>
 server-private <RADIUS Server IP> auth-port 1812
 server-private <RADIUS Server IP> acct-port 1813
 ip vrf forwarding Mgmt-intf
 ip radius source-interface GigabitEthernet0

!
aaa authentication login VPN-Users group VPN-RADIUS
aaa authorization network VPN-Users group VPN-RADIUS
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RemoteUsers
 key <pre-shared-key>
 acl 110
 save-password
!
crypto isakmp profile VPN
   match identity group RemoteUsers
   client authentication list VPN-Users
   isakmp authorization list VPN-Users
   client configuration address respond
   virtual-template 2

!
crypto ipsec transform-set ezVPN-Transform esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ezVPN
 set transform-set ezVPN-Transform
 set isakmp-profile VPN
!
crypto dynamic-map Remote-Map 10
 set transform-set ezVPN-Transform
 set isakmp-profile VPN
 reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic Remote-Map
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ezVPN
!
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
!
interface Gigabit1
 ip address <WAN Address> <Netmask>
 crypto map VPN


This is a lot of configuration, and some of this may not be necessary. I need to go back and clean it out. In particular, the ISAKMP Client Configuration group will actually be provided by RADIUS, so likely we can remove this part.

The majority of the above configuration is easily found with some Google searches and is well documented. However, the next part, the RADIUS part, is not.

FreeRADIUS Configuration

First of all you need to get a server set up and FreeRADIUS installed. I won't elaborate further, since this is also well documented elsewhere. For reference, in my setup I used Ubuntu Server 12.04LTS.

clients.conf

The clients.conf file is simply used to identify expected RADIUS clients that may talk to us, and set the shared-secret for them. Below is a sample file:
client <Cisco device RADIUS source IP> {
        secret          = <Shared Secret>
        nastype         = cisco
        shortname       = ezVPN-Server
}

This now enables our Cisco router to talk to the RADIUS server. Check that you know what the source-address is on the Cisco - it can be defined within the Server Group config.

 

 users

The users file defines the different users available. This can also be done with an SQL database. However, the SQL part is well documented so I will not cover it here. First we have to set up the VPN Group user definition - this is the main part that I struggled with. Here is my example config:
RemoteUsers  Cleartext-Password := "cisco"
        Tunnel-Type = "ESP",
        Tunnel-Password = "<pre-shared-key>",
        Cisco-AVPair := "ipsec:tunnel-type=ESP",
        Cisco-AVPair += "ipsec:key-exchange=IKE",
        Cisco-AVPair += "ipsec:save-password=1",
        Cisco-AVPair += "ipsec:inacl=110"
So, to explain some of the fields:
- "RemoteUsers" - this will be whatever your VPN group is
- Cleartext-Password := "cisco" - This is required - the router sends a request with the group name and the password of "cisco".
- Tunnel-Type - This is another required item.
- Tunnel-Password - This should be your actual VPN group key.

Now we move on to the "Cisco-AVPair" entries. These are Cisco Attribute-Value pairs. So basically this is information that gets passed back to the router as parameters for the connection.

• ipsec:tunnel-type=ESP - Required - stating we will use ESP
• ipsec:key-exchange=IKE - Required - stating we will use IKE
• ipsec:save-password=1 - Optional - Since my setup is for branch-offices, I want to have the password pre-configured in the router without people needing to keep entering it. Therefore I have to permit the password to be saved locally.
• ipsec:inacl=110 - Optional - This is for split-tunnel VPNs. It specifies which ACL on my hub router should be used to define the split networking list.

You may have already realised, this is exactly the same data as can be included statically on the Cisco router, as below:
crypto isakmp client configuration group RemoteUsers
 key <pre-shared-key>    ! Tunnel-Password = "<pre-shared-key>"
 acl 110                 ! Cisco-AVPair += "ipsec:inacl=110"
 save-password           ! Cisco-AVPair += "ipsec:save-password=1"

For further reading about Cisco Attribute-Value pairs, have a look at this page: https://supportforums.cisco.com/document/58091/exploring-remote-access-vpn-easy-vpn-cisco-router-cisco-secure-access-control-server

For our actual VPN users, the entries are much simpler. We just need to add user/password pairs to the users file:

User1     Cleartext-Password := "<password>"

Once this is done, you should have a working ezVPN setup with FreeRADIUS server.

IGMP Query Solicitation

Once again, I've come back to IGMP/Multicast/STP. This is a topic that, while reasonably well documented, can be complex to find explanations of.

In this case, I saw a network where a switch was running many (lots, like 300+) VLANs and we were regularly seeing traffic from the same MAC in all of those VLANs. This behaviour was intruiging, so I did some digging.

The switch in question was an Allied Telesyn x610 switch. Looking at the packets in Wireshark, it turns out they all originate from a switch and they are IGMP Query Solicitation. So...

What is IGMP Query Solicitation?

So you remember back in one of my earliest posts, where we had IGMP and Spanning-Tree interacting in such a way that we had floods of traffic on the network? This is very much related. In that scenario we were seeing that our switches were flooding traffic to all ports whenever there was a Spanning-Tree topology change. This "IGMP Query Solicitation" is another behaviour that can occur at exactly the same time, when a topology change is seen. As well as flooding the multicast traffic to ensure it reaches the correct destination, the switch can also send an "IGMP Query Solicitation" message to everybody. This message essentially "resets" IGMP by prompting the querier to immediately send out a General Query. This, in turn, means that all clients will re-affirm their interest in the appropriate multicasting groups by sending a Membership Report. Therefore, the IGMP snoopers (switches) will then be able to rebuild their snooping databases and once again send traffic to all the right places. So it provides a way of restoring order to your network after Spanning-Tree announces a Topology Change.

So do I want this behavior? How do I turn it off?

Yes. It's good. It helps your network to get back to normal after any changes in topology. In our case there was a device that was not coping with seeing the same MAC in 300+ VLANs at the same time. However, there may be legitimate reasons to turn this on or off. In the Cisco switches I tested, this was disabled by default. In order for it to function, it required:

• An IGMP querier active in a VLAN (any VLAN with no querier got no query solicitation)
• IGMP Query Solicitation enabled ("ip igmp snooping tcn query solicit")

However, in the Allied Telesyn x610 switch that I was using, this behaviour is enabled by default. In addition, IGMP snooping is enabled by default. This is sort of good because if you don't need it, it is unlikely to cause harm, yet not having it when you need it can cause your network to flood.

In the case of the AT switches, there are two options, the default is that only the STP root-bridge will send the query solicitation packets. You can turn that off, or you can optionally enable it for all switches, not just the root. Commands are:

(no) ip igmp snooping tcn query solicit root
(no) ip igmp snooping tcn query solicit

The variation in implementations and defaults across switch manufacturers is interesting. Allied Telesyn seem to be protecting people, whereas Cisco are assuming you should know what you're doing at least a little bit!

As always, I hope this has been of use to somebody!

Cisco NAT Payload Inspection

I came across an interesting problem today with our public-facing DNS server. For various reasons that I can't actually justify, we have some DNS A records with private IP addresses in our main public-facing NS. Somebody noticed today that those weren't working any more and that DNS requests for these addresses would time out. For example, with apologies for the potentially confusing anonymisation of my company's names and addresses:

steve@linuxbox:~$ dig myname.mydomain.com @ns1.mydomain.com

; <<>> DiG 9.8.1-P1 <<>> myname.mydomain.com @ns1.mydomain.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Whereas, a request for a name with a public IP would work:

steve@linuxbox:~$ dig mypublicname.mydomain.com @ns1.mydomain.com
 
; <<>> DiG 9.8.1-P1 <<>> mypublicname.mydomain.com @ns1.mydomain.com
;; global options: +cmd
;; Got answer:
--snip--
mypublicname.mydomain.com.       86400   IN      A       4.2.2.2

So... what is happening?

As I often do, my first step into looking was a packet capture. I captured whilst doing first a "public" request and then a "private" request. The result was as below:

So, for a "normal", "public" request, the response is fine. For the "private" request, the server replies correctly, but our NAT router is sending an ICMP Destination Unreachable and the response never reaches the client. So, this immediately says that the router is doing some level of inspection at Layer 5 or above and electing to drop our DNS response, which we don't want.

A quick bit of Googling later and I found this incredibly helpful article: https://plone.lucidsolutions.co.nz/networking/cisco/ios/a-workaround-for-nat-rewriting-dns-packets

This makes complete sense. So, I added the no-payload option to my NAT statement and immediately, all my DNS requests started working!