EN 
 
www.SAMURAJ-cz.com 
30.11.2025 Ondřej WELCOME IN MY WORLD
 
 
Petr Bouška
SAMURAJ-cz.com
IT Manager OKsystem
Veeam Vanguard
View profile

This website is originally written in the Czech language. Most content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
VPN 1 - IPsec VPN a Cisco

VPN 1 - IPsec VPN and Cisco

| Petr Bouška - Samuraj |
The opening installment of a series that focuses on VPN technology. Here you will find a brief description of VPNs and their types. Next, IPsec-based VPNs are described in more detail, primarily the Remote Access VPN type. The entire description is general, but the future focus is on deployment on Cisco devices, primarily Cisco ASA. At the end, the parameters supported by the Cisco VPN Client, the integrated client on Google Android and on Windows XP/Vista/7 are mentioned.
displayed: 79 135x (78 429 CZ, 706 EN) | Comments [14]

Virtual Private Network

The abbreviation VPN stands for Virtual Private Network, which is a private computer network that allows remote users or branches to connect to the organization's LAN through public telecommunication services, mainly the internet. To securely create a network over a large distance, it is possible to use leased lines, but this is a very expensive solution (and unusable for connecting mobile workers). VPN enables this through the relatively inexpensive internet and solves the security issue by creating an encrypted tunnel between two points (or one and several). VPN addresses confidentiality, authentication, integrity of communication, etc.

VPN is a very broad term and includes a range of protocols and technologies. The main types of VPN are two:

  • Site-to-Site VPN - we connect two (or more) networks together, usually a headquarters and branches, using special network devices (VPN concentrator, firewall, router, server) that serve as a VPN gateway and establish a VPN connection between them (they unpack incoming communication and send it to the network normally, outgoing communication is encapsulated into the VPN tunnel), user workstations do not need a VPN client, protocols/types often used are IPsec VPN and MPLS VPN
  • Remote Access VPN - we connect individual clients to the local network, clients must have special software - a VPN client, on the private network side there is again a special network device, protocols/types often used are SSL VPN and IPsec VPN

The second most common division of VPNs is by the primarily used protocol on which the VPN is based:

  • IPsec VPN - Internet Protocol Security is perhaps the most widespread form of VPN, it is part of IPv6 and is widely used in IPv4, it is often combined with L2TP (L2TP over IPsec), it has problems with NAT (solved by NAT-T)
  • SSL VPN - a modern VPN method that uses Transport Layer Security (TLS) or Secure Sockets Layer (SSL), often uses port 443 (HTTPS) and VPN passes well through firewalls (operates at a higher layer, so it doesn't have problems with NAT), Microsoft has created Secure Socket Tunneling Protocol (SSTP), which is the transmission of PPP or L2TP through SSL
  • MPLS VPN - Multiprotocol Label Switching is mainly used by ISPs, where they create private networks for customers over MPLS

There are also a number of other VPN types (such as PPTP, SSH), but they are less widespread/used.

VPN Types on Cisco ASA

  • IPsec VPN
    • Site-to-Site - VPN devices are connected
    • Remote Access - uses Cisco VPN Client (or other VPN client software)
  • SSL VPN
    • Clientless SSL VPN - access through a web browser, previously called WebVPN
    • Cisco SSL VPN Client (Remote Access) - uses Cisco AnyConnect VPN Client

From version ASA 8.4 (and ASDM 6.4), Cisco added support for IKEv2 and divides IPsec VPN into IPsec(IKEv1) and IPsec(IKEv2) for which Cisco AnyConnect Client version 3.0 (and also Anyconnect license) is required.

IPsec Remote Access VPN

IPsec, in full Internet Protocol Security, is a standardized group of protocols for securing IP communication between two end systems. It includes mutual authentication and negotiation of cryptographic methods and keys. IPsec operates at the IP layer, that is, at Layer 3 of the OSI model, and complements the IPv4 protocol (in IPv6 it is a mandatory part of the protocol).

IPsec first ensures that the two parties identify (authenticate) each other and then encrypts all communication using the agreed algorithm. The communicating parties are called peers. Within IPsec, we can use a wide range of standard protocols and algorithms. IPsec does not specify which algorithms must be used for communication, but defines the mechanisms for negotiation and a basic set of algorithms.

IPsec Operation Modes

IPsec can operate in two modes (host-to-host) Transport and (network) Tunnel Mode (default), the difference is in what is encrypted.

  • Tunnel mode - encrypts the entire packet (including the header) and adds a new header. This mode can be used for IPsec proxy, the client sends the data, the router encrypts it and sends it further. The client's address cannot be detected from the communication.
  • Transport mode - only encrypts the data, the IP header is left unchanged and only an IPsec header is added. Some clients only support transport mode, for example the L2TP/IPsec client in Windows.

IPsec Protocols

IPsec uses three main protocols:

  • Authentication Header (AH) - ensures integrity and source authentication of data, uses hash functions (like MD5 or SHA1) and a shared key (negotiated at the beginning), the packet header contains a sequence number, it is hardly used today
  • Encapsulating Security Payload (ESP) - ensures confidentiality, source authentication, and integrity, uses encryption algorithms (like DES or AES), uses protocol IP number 50 for communication
  • Security Association (SA) - a group of algorithms that provide parameters for secure communication using AH and ESP, uses the ISAKMP Framework (Internet Security Association and Key Management Protocol) and some protocol, usually IKE (Internet Key Exchange), to negotiate the attributes, the attributes contain the chosen encryption algorithm, key lifetime, compression, and encapsulation method, communication takes place encrypted

Establishing IPsec VPN

Typically, IPsec VPN communication proceeds as follows:

  1. Using IKE, the SA is negotiated on UDP port 500, using certificates (client and server) or PSK
  2. From the SA parameters, an encrypted communication using ESP is established on IP 50

IKE - Internet Key Exchange

The IKE protocol is often used at the beginning of IPsec communication to negotiate the Security Association. IKE uses UDP port 500 for communication and certificates or Pre-Shared Key (PSK) for authentication. The Diffie-Hellman method is used for key exchange (creates a shared session secret from which the encryption keys are derived). So the communication is encrypted and IKE can serve as part of the authentication (we must have a certificate or know the PSK). IKEv2 is also used more recently.

IKE operates in two phases:

  • Phase 1 - the participants authenticate and negotiate the IKE SA (using Diffie-Hellman), creating a secure channel for negotiating the IPsec SA in phase 2, operates in main mode (protects the identity of the communicating parties) or aggressive mode
  • Phase 2 - negotiates IPsec SA parameters and sets up the corresponding SA, only quick mode is used

Perfect Forward Secrecy (PFS) - an optional security enhancement for phase 2. Normally, the phase 2 keys are derived from the phase 1 keys. PFS uses a new key exchange using Diffie-Hellman.

The IKE protocol extension XAUTH (Extended User Authentication) allows the use of user authentication against an RADIUS server. It's not a replacement, but an extension. Normally, IKE only supports computer authentication in phase 1. XAUTH adds an additional phase (after phase 1 and before phase 2) where user authentication (using AAA methods) takes place.

NAT-T - Network Address Translation - Traversal

Packets sent with IPsec are protected by a hash so that their content cannot be changed. If there is a NAT in the path, it modifies the IP header, then the hash does not match and the packet is discarded. The solution to make the communication work is to use NAT-T. It adds a new UDP header to the packet (encapsulates the packet in UDP), which can be modified along the way. On the other side, the header is removed and the incoming packet is OK. Negotiation during IKE can negotiate UDP encapsulation. Communication uses UDP port 4500 and is referred to as IPsec over UDP or IPsec over NAT-T.

In Cisco, encapsulation is possible not only in UDP, but also in TCP and the port can be specified. Cisco also uses various terms, such as Transparent Tunneling or NAT Transparent.

L2TP over IPsec

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol to support VPNs. By itself, it does not contain any encryption, it only creates a tunnel. It communicates on UDP port 1701. It is often used together with IPsec, which provides confidentiality (encryption) and authentication. We then refer to L2TP/IPsec.

The connection establishment process can be:

  1. Using IKE, the SA is negotiated on UDP port 500, using certificates (client and server) or PSK
  2. From the SA parameters, an encrypted communication using ESP in transport mode is established on IP 50
  3. The L2TP tunnel is negotiated and established between the end points, the communication takes place over UDP 1701, but it is encapsulated in IPsec, so the packet contains IP 50

Other Features

Split Tunneling - only part of the client's communication goes through the VPN (corporate address range) and the rest goes directly to the internet. The normal way is that all communication is routed through the VPN tunnel.

Parameters for Some IPsec VPN Clients

When creating a VPN, we need to know what algorithms and protocols a particular client supports, so that the resulting communication works.

Cisco VPN client

Cisco VPN client supports most options and almost everything that can be configured on Cisco ASA. IPsec must be in tunnel mode and L2TP is not supported. We can use IPsec ESP with NAT-T as IPsec/UDP or IPsec/TCP. Security ESP encryption DES, 3DES (56/168-bit) and AES (128/256-bit), for integrity hash functions MD5 and SHA, IKE with digital certificates, Diffie-Hellman (DH) Groups 1,2 and 5 with PFS. Data compression LZS. For authentication, RADIUS, but I couldn't get user certificate authentication to work.

Windows XP or Windows 7

Microsoft has an IPsec VPN client built into many of its clients (Windows 7 also supports SSTP and IKEv2, I haven't tested it). It also supports NAT-T, but if the server is behind NAT, it must be enabled in the registry on the client.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\"NegotiateDh2048"=dword:1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\"AssumeUDPEncapsulationContextOnSendRule"=dword:2

In Windows 7, the second value is located in a different place.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\"AssumeUDPEncapsulationContextOnSendRule"=dword:2

The standard client is L2TP/IPsec, so L2TP is required, and it must be in transport mode. Security is supported with ESP encryption DES and 3DES, integrity MD5 or SHA and D-F group 1, 2, 2048. There is no problem using EAP smartcard, i.e. user certificate authentication.

Google Android

In the mobile OS Google Android, a VPN client is reportedly integrated from version 1.6 onwards. We choose between L2TP/IPsec PSK VPN (PSK will be used for IKE) and L2TP/IPsec CRT VPN (we have a certificate for IKE). I couldn't find a description of the features anywhere, but from practical tests it seems the support is similar to Windows XP. So L2TP/IPsec in transport mode, ESP with DES and 3DES, MD5 and SHA1.

Author:

Related articles:

Cisco VPN - Virtual Private Network

A series of articles that starts with a general description of VPN technology and breaks down each type of VPN. Furthermore, various VPN configurations on Cisco devices are addressed, primarily on Cisco ASA.

VPN - Virtual Private Network

A series of articles that provides a general description of VPN technology. It breaks down individual VPN types such as Site to Site VPN and Remote Access VPN. And it describes configurations on different devices.

If you want write something about this article use comments.

Comments
  1. [1] Jech

    Velmi pěkné shrnutí základů VPN, díky.

    Doplním zkušenosti s VPN klientem ve W7 - občas ho používám na L2TP over IPsec a moc bych ho jako nějaké stále řešení nedoporučoval. Krom toho, že se tam dá nastavit minimum možností, se občas prostě stane, že nefunguje a je třeba restartovat systém / případně zapnout manuálně služby. Navíc pokaždé když klienta zapnu, se nikdy nezdaří notebook následně uspat a dojde k zakousnutí.

    A ve chvíli, kdy do systému nainstalujete další VPN klient, ten integrovaný je pak z funkčností vyloženě na štíru ...

    Monday, 11.04.2011 10:44 | answer
  2. [2] Samuraj

    respond to [1]Jech: Já používám nativního klienta ve Windows XP, později Windows 7, již asi 5 let. Naprosto bez problémů. Možná také záleží vůči jakému serveru. A teď mám dočasně dohromady toto řešení spolu s Cisco VPN clientem a také žádný problém.

    Monday, 11.04.2011 11:24 | answer
  3. [3] ViSte

    Když jsme u těch klientů. Používám ShrewSoft VPN Clienta proti ZyWALLům. Je to free i pro firmy a běží to jak na Windows tak na Linuxu. Mohu jen doporučit.

    Tuesday, 12.04.2011 16:46 | answer
  4. [4] Lobo

    A mate nejake zkusenosti s Androidim klientem proti VPN v IOSu v rezimu klasickeho IPsecu (nikoliv SSL)?

    Sunday, 15.05.2011 22:10 | answer
  5. [5] Samuraj

    respond to [4]Lobo: Stačí si přečíst 3. díl seriálu :-), tam je to podrobně popsané.

    Monday, 16.05.2011 08:06 | answer
  6. [6] Mikulas

    Snazim sa rozbehat vpn z HTC desire S, cize android. Po nastaveni adroid vpn, na asa dostanem stale chybu ...can't find a valid tunnel group aborting...

    Vie mi niekto pomoct ?

    Sunday, 27.11.2011 12:33 | answer
  7. [7] Mikulas

    Chyba mi nastavenie group authentication name v adroid nastaveniach :(

    Monday, 28.11.2011 17:00 | answer
  8. [8] Samuraj

    respond to [7]Mikulas: Já používám certifikát zařízení. Jinak tu mám podrobný návod, jak to s Androidem funguje.

    Monday, 28.11.2011 17:06 | answer
  9. [9] Mikulas

    Takze PSK riesenie nemas zpojazdnene ? Ten podrobny navod je kde ;) ? Neviem ho najst :(

    Monday, 28.11.2011 19:47 | answer
  10. [10] Samuraj

    respond to [9]Mikulas: Odpovídám na stejný dotaz zde v komentáři 5! 3. díl tohoto seriálu podrobně popisuje nastavení VPN pro různé klienty (včetně Androidu).

    Tuesday, 29.11.2011 08:25 | answer
  11. [11] Peter

    Riesil uz niekto spojenie Asus prime s androidom 4.x.x na ipsec.?Na druhej strane je zyxell usg 300.

    Thursday, 17.05.2012 10:41 | answer
  12. [12] Orbb

    respond to [3]ViSte: ViSte

    Diky, zachranil jsi mi zivot, pouzival jsem VPN klienta od Zyxelu ktery je placeny a asi 50 hodin resil proc pres to nejde synchronizace outlooku (se pripojil ale nestahl data). S tim klientem od shrewsoftu to jde jedna basen a jeste je zadarmo :-) Nadhera :-)

    Friday, 22.06.2012 22:40 | answer
  13. [13] Dave

    Zdravím lidi, máte někdo zkušenosti s nastavováním VPN na Macu (10.7 Lion), na druhé straně mám Cisco 4400n. Bohužel na Maca momentálně není žádný funkční VPN klient, který by fungoval ve 64-bitové verzi systému. Díky za případné informace.

    Monday, 23.07.2012 23:25 | answer
  14. [14] Vencour

    Na win7 mam v cestě C:\Users\xxx\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client konfigurák preferences.xml, teoreticky lze mít více takových templejtů ... pokud neni lepší řešení?

    Friday, 06.09.2013 15:04 | answer
Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)