Because of their flexibility, VPNs are quickly becoming one of the most popular methods for allowing remote access to networks and for establishing secure connections to small remote-office locations. VPNs go hand in hand with firewall devices. Couple that with the Cisco PIX firewall’s inherently strong security architecture, and you can see why the PIX is an ideal platform for establishing this kind of service. In this Daily Feature, I’ll show you how to set up VPN services using your existing PIX firewall.
My setup and some assumptions
For this article, I’ll use a Cisco PIX 515 firewall running version 5.1 of the Cisco PIX management software. My PIX firewall has 16 MB of RAM with an 8-MB flash and is licensed for VPN connections, which raises an important point: In order to use these services on your PIX, you’ll need to make sure your PIX software license includes VPN capability. If it doesn’t, contact your Cisco reseller to purchase the appropriate licenses.
I’ll assume your PIX is either up and running in production or in a working state in a lab where you can modify the configuration. You should be able to pass traffic through the firewall before embarking upon this VPN journey.
About Cisco PIX VPN services
The Cisco PIX VPN services are based on IP Security (IPSec), which is a vendor-neutral standard that defines methods of setting up virtual private networks. Clients that use the VPN are able to see services on the host network transparently, as if they were directly connected to it. The Cisco PIX firewall supports both PIX-to-PIX and client-to-PIX VPN configurations.
In this article, I’ll focus on client-to-PIX VPN configurations, which will enable you to provide remote network access to partners or telecommuters. Cisco calls this a remote-access VPN.
How do remote-access VPNs work?
Before setting up the VPN, it’s a good idea to brush up on the basics of how VPNs work. A little knowledge makes it easier to troubleshoot in the event of a problem and easier to maintain the service overall.
The first order of business is to understand the protocol at work: IPSec. In a remote-access configuration, IPSec is generally configured to allow Layer Two Tunneling Protocol (L2TP) connections from Windows 2000 or XP VPN clients. (These operating systems come bundled with IPSec-enabled L2TP clients. For Cisco PIX installations, Cisco provides a VPN client that will allow other operating systems, such as Windows 95, 98, and NT, to access the VPN services as well.)
IPSec operates in two steps. Using either manually configured keys or Internet Key Exchange (IKE)—which I will discuss next—step one handles the negotiation of security information between client and host. Once the negotiation is complete, step two uses this negotiated security information to begin passing data.
The second step is the negotiation of parameters between client and host. You can negotiate the parameters manually or via IKE. IKE is an automated method that allows for additional features such as dynamic authentication. Under IKE, keys can change in midsession.
IKE configuration uses five parameters to define its policy:
- The encryption algorithm IKE will use
- The hash algorithm it will use
- The method of authentication it will use to identify IPSec peers
- The group identifier, which IKE uses to derive a secret password without having to transmit that secret password over the connection
- The number of seconds for which the security association will be valid (with a default of 24 hours)
Now that we’ve covered the basics, you’re ready to set up client VPN services on your PIX.
Setting it up
For the purposes of this article, I’ll show you the configuration from a PIX running version 5.1(2) of the PIX firewall management software. I’ve also tested this configuration on a new PIX 501 firewall running version 6.1(2) of the software.
For this configuration, I’ll use the PIX command line. Note that I‘m not including my entire PIX configuration but only those commands required to get the VPN services up and running. The only parameter I’ve changed is keyname. Other than that, this is a complete configuration for a fully functional Cisco PIX-based VPN, which allows remote clients to access services on the network behind the firewall.
- ip local pool vpnpool 172.16.2.1-172.16.2.255—This command creates a local pool of addresses named vpnpool. These addresses will be used for VPN clients.
- sysopt connection permit-ipsec—This command changes the system options to allow IPSec connections.
- sysopt ipsec pl-compatible—This command allows IPSec to bypass the firewall’s NAT settings, and it also allows incoming IPSec packets to terminate at the outside interface.
- crypto ipsec transform-set myset esp-des esp-md5-hmac—This command creates a transform set named myset. A transform set specifies one or both of the IPSec security protocols, as well as the algorithm to use for them. My configuration uses esp-des, which is a 56-bit encrypted security protocol, and esp-md5-hmac, which uses the MD5 hashing scheme for encoding. These transform sets come into play during client negotiation to determine what protocol the PIX will use to protect the VPN traffic.
- crypto dynamic-map cisco 1 set transform-set myset—This command allows you to support secure connections with unknown clients, which is essential if you are to support remote users. One of the primary functions of this command is to specify a dynamic map named Cisco, a sequence number of 1, followed by the only required parameter, set transform-set, which defines the transform set to be used with this mapping.
- crypto map dyn-map 20 ipsec-isakmp dynamic cisco—This command specifies a map name of dyn-map, followed by a sequence number of 20. The ipsec-isakmp parameter indicates that the PIX will use IKE to establish IPSec security associations. The dynamic keyword tells the PIX to add the dynamic crypto map set to a static crypto map. Cisco is the name of this map.
- crypto map dyn-map interface outside—This command tells the PIX which interface to use for the previous command.
- isakmp enable outside—This command tells the PIX which interface to use to enable isakmp negotiation for IPSec. ISAKMP stands for Internet Security Association and Key Management Protocol and is one of the security protocols IKE supports. (The other two are Oakley and Skeme.)
- isakmp key keyname address 0.0.0.0 netmask 0.0.0.0—This command configures the PIX to use a wildcard, shared key. The keyname defines the authentication key to share between the PIX firewall and the VPN client. The 0.0.0.0 for the IP address and the netmask specify the wildcard nature of the command.
- isakmp identity hostname—This command sets the isakmp identity for the firewall.
- isakmp client configuration address-pool local vpnpool outside—This command tells the PIX which previously configured pool of addresses to use and which interface will be using them. With the ip local pool vpnpool statement, we previously configured the vpnpool address pool to range from 172.16.2.1 to 172.16.1.255.
- isakmp policy 10 authentication preshare—This command assigns a priority of 10 to the policy statements, using the isakmp policy command. You can set the authentication subcommand to either preshare or rsa-sig. If defined as preshare, the PIX is to use preshared keys; rsa-sig tells the PIX to use RSA signatures.
- isakmp policy 10 encryption des—This command tells the PIX to use 56-bit DES encryption. The other option is to specify 3des, which will enable the PIX to use triple DES encryption for the IKE policy instead.
- isakmp policy 10 hash md5—This command specifies the hashing algorithm the PIX will use, which can be either md5 or sha.
- isakmp policy 10 group 1—This command (group 1) tells the PIX to use the 768-bit Diffie-Hellman in the IKE policy. The other option is to specify group 2, which enables the 1,024-bit Diffie-Hellman technique. Diffie-Hellman is the first published technique for public key cryptography and asymmetric encryption and is based on the difficulty of calculating logarithmic values.
- isakmp policy 10 lifetime 1000—This command specifies how long each security association should stay valid (ranging in value from 120 seconds to 84,600 seconds).
Once you’ve set up the VPN services on the server, you need to allow clients to connect. Cisco provides a VPN client for just this purpose.
The current version of the Cisco VPN client is 3.5.1 and is available for download from the Cisco Web site, assuming you have a current Cisco Service Contract. If you have a service contract, you just need to log in to the site to download the software. If you don’t, you’ll need to purchase the client or use the version that came with your PIX.
To install the client, double-click on the installation file. If you install the client onto a Windows XP workstation, you’ll get a message indicating that you should change your driver signing settings to avoid error messages during the installation. I don’t recommend doing this; rather, deal with the error messages by choosing Continue Anyway when the messages come up. The messages simply inform you that Microsoft has not verified the drivers. The actual software installation is straightforward and asks you the standard Microsoft installation questions.
After the installation is complete, your system may ask to reboot. Once it does so, run the client by choosing Start | Programs | Cisco Systems VPN Client Files | VPN Dialer. This application will allow you to set up a connection to your host VPN server if you provide it with the information requested.
Use careful planning and strong keys
A VPN is a powerful tool. With a VPN, an organization can provide secure remote access to almost any internal equipment. As we’ve shown in this article, you can configure your existing Cisco PIX to provide these services, but you’ll need to do your homework to get the lay of the land before you start. Any keys you use should be strong enough to withstand brute-force attacks. When configuring a client VPN system, you’ll need to allow for the possibility of unknown clients in the configuration, as well as provide potential client users with an appropriate client, such as the one provided by Cisco for use with the PIX.