IPsec Remote Access VPN – Part 2 (Optional configuration)


The previous post shows you how to configure a basic IPsec Remote Access VPN using a Cisco IPsec VPN client with minimal configuration. This post is in continuation to the previous one, so do have a look at Part 1 which covers the basic configuration of an IPsec Remote Access VPN using the Cisco IPsec VPN Client.

Additional and optional configuration:-

1. vpn-filter

This allows you to manage what all network resources the clients are allowed to access once they are connected via the remote access VPN.

In the below example, the remote client IP is allowed to only access port 80 on the internal server via the VPN tunnel.

access-list vpnfilter extended permit tcp host 192.168.1.1 host 172.21.1.10 eq www log
!
group-policy ipsec_ra_policy attributes
 vpn-filter value vpnfilter

2. dns-server

This is the DNS server the clients will use for DNS queries.

group-policy ipsec_ra_policy attributes
 dns-server value 172.21.1.100 172.21.1.111

3. reverse-route

It injects a route for the remote client that is successfully connected to the firewall.

“The primary benefits of RRI are that it enables the routing of IPSec traffic to a specific VPN headend device in environments with multiple (redundant) VPN headend devices, and ensures predictable failover time of remote sessions between headend devices when using IKE keepalives”

– extract from cisco.com.

crypto dynamic-map dyn_map 65535 set reverse-route

ASA# show route
! output omitted for brevity
C 1.1.1.0 255.255.255.0 is directly connected, outside
 C 172.21.1.0 255.255.255.0 is directly connected, inside
 S 192.168.1.1 255.255.255.255 [1/0] via 1.1.1.2, outside
 S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside

Notice the route for 192.168.1.1. That is a remote client that has successfully connected to our gateway and with the reverse-route injection the ASA added a host route for that client. When the client disconnects, the route is removed from the routing table.

4. split-tunnel

Split-tunnel basically means telling the remote client to bifurcate and send the encrypted traffic across the tunnel and the clear-text traffic via it’s default-gateway. By default, split-tunnel is configured to tunnel all traffic through the VPN. This means that all traffic the user generates, including the ‘internet’ traffic will be routed across the VPN! You definitely don’t want this unless you want to scan all user traffic through an IPS or something in similar lines.

Under normal scenarios, you configure a split-tunnel which basically puts a route in the remote client specifying the destination to which the remote user will send the traffic through the tunnel (thus encrypting it). The traffic that doesn’t match that route will use the default-gateway configured on the remote client (unencrypted traffic).

Here are the options that you can use as per your requirement;

ASA(config-group-policy)# split-tunnel-policy ?
group-policy mode commands/options:
 excludespecified   Exclude only networks specified by split-tunnel-network-list
 tunnelall          Tunnel everything
 tunnelspecified    Tunnel only networks specified by split-tunnel-network-list

access-list split_tunnel_acl standard permit 172.21.1.0 255.255.255.0 
!
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl

5. group-lock

Group-lock is yet another interesting command. What it does is, it locks the group policy to a specific tunnel-group. So when a user is assigned a group-policy under its own attributes and that group-policy is locked to a tunnel-group, the user is restricted to connect to only that tunnel-group.

tunnel-group ipsec_ra_tunnel_1 type remote-access
tunnel-group ipsec_ra_tunnel_1 general-attributes
 address-pool client_pool
tunnel-group ipsec_ra_tunnel_1 ipsec-attributes
 ikev1 pre-shared-key c1sc01
!
group-policy ipsec_ra_policy_1 internal
group-policy ipsec_ra_policy_1 attributes
 dns-server value 172.21.1.100 172.21.1.111
 vpn-filter value vpnfilter1
 group-lock value ipsec_ra_tunnel_1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl
!
username officeguy1 password strongpassword
username officeguy1 attributes
 vpn-group-policy ipsec_ra_policy_1

This can be used where it’s not feasible to distribute different .pcf files to hundreds of new users joining in or leaving the organization, maybe contractors. So you distribute a common .pcf file to the users which has information of all the tunnel-groups, but the user can only connect to the tunnel-group that has been locked to the group-policy assigned under the user’s attributes.

6. vpn-idle-timeout

This is pretty straight forward, the VPN session will be disconnected at the end of the idle-timeout value specified. The value is configured in minutes.

group-policy ipsec_ra_policy_1 attributes
 vpn-idle-timeout 5

7. vpn-access-hours

This is quite a useful one. You can restrict/allow the remote client’s access to the company network by specifying a time-range.

time-range ipsec_ra_access_hours
periodic weekdays 9:00 to 22:00
!
group-policy ipsec_ra_policy attributes
 vpn-access-hours value ipsec_ra_access_hours

TIP: The group-policy attributes can either be configured via the group level or per user level.

Advertisements

5 thoughts on “IPsec Remote Access VPN – Part 2 (Optional configuration)

  1. what is the difference between Split-tunnel and vpn-filter. In the above scenario you have mentioned in the ACL that it allows 172.21.1.0/24 to be encrypted & allowed. Where as in vpn-filter you specified access to only 172.21.1.10 over 80 port. kindly clarify me briefly if we configured exact above setup, does the remote access client can access entire /24 subnet or only 172.21.1.10 on 80 port.

  2. Hi Munvar,

    Split-tunnel adds a route in the remote client’s routing table and tells it that any traffic destined to that network is to be sent encrypted over the VPN tunnel. Without any vpn-filter applied, the remote client has access to the entire network specified in the split-tunnel. But once you apply a vpn-filter it works exactly like an ACL. So the answer to your question would be – Yes, it will allow access to 172.21.1.10 on port 80 only.

    Hope that helps :)

  3. Thanks your clarification on this…Now i understood the difference between split -tunnel and vpn-filter..Thanks a lot..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s