Home > Articles > Cisco Network Technology > IP Communications/VoIP > IPSec Authentication and Authorization Models

IPSec Authentication and Authorization Models

Chapter Description

This chapter covers IPSec features and mechanisms that are primarily targeted at the authentication of remote access users. You'll learn about XAUTH, which provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS. MODECFG uses a push model to push attributes to the IPSec client.

From the Book

IPSec VPN Design

IPSec VPN Design

$53.59 (Save 20%)

Mode-Configuration (MODECFG)

In remote access scenarios, it is highly desirable to be able to push configuration information such as the private IP address, a DNS server's IP address, and so forth, to the client. The IPSec Mode-configuration (MODECFG) allows this functionality. Configuration for MODECFG using Cisco IOS is shown in Example 4-2.

Example 4-2. Cisco IOS MODECFG Configuration on the IPSec Gateway

vpn-gw1-east#
!
hostname vpn-gw1-east
!
username ezvpn password 0 east
username ezvpn1@vpngroup password 0 ezvpn1east
username ezvpn2@vpngroup password 0 ezvpn2east
aaa new-model
!
aaa authentication login vpn local
aaa authorization network vpn local
aaa session-id common
ip subnet-zero
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10 10
!
crypto isakmp client configuration group vpngroup                                     

    key ciscoezvpn                                                                       

    dns 10.1.1.10                                                                        

    wins 10.1.1.11                                                                       

    pool vpnpool                                                                         

    include-local-lan                                                                    

    backup-gateway 9.1.1.36                                                              
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic 1
 set transform-set vpn
 reverse-route remote-peer 9.1.1.33
!
!
crypto map vpn client authentication list vpn
crypto map vpn isakmp authorization list vpn
crypto map vpn client configuration address respond                                   
crypto map vpn 3 ipsec-isakmp dynamic dynamic

Some of the key attributes that can be pushed to a remote user using MODECFG follow:

  • INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS— Specifies an address within the internal network. The requested address is valid until the expiration of the ISAKMP SA that was used to secure the request. The address may also expire when the IPSec phase 2 SA expires, if the request is associated with a phase 2 negotiation.
  • INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK— The internal network's netmask.
  • INTERNAL_IP4_DNS, INTERNAL_IP6_DNS— Specifies an address of a DNS server or multiple DNS servers within the network. The responder may respond with zero, one, or more DNS server attributes.
  • INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS— Specifies an address of a NetBios Name Server (NBNS) within the network. Multiple NBNSs may be requested. The responder may respond with zero, one, or more NBNS attributes.

Like XAUTH, MODECFG is not a standard of the IPSec working group in the IETF. Although Cisco defined this protocol and most client implementations work with the Cisco implementation, given that this not a standard, there are no guarantees for interoperability.

3. Easy VPN (EzVPN) | Next Section Previous Section