Creating an SSL VPN

Creating an SSL VPN

Problem

You want to create an SSL VPN using Cisco's WebVPN services on an IOS router.

Solution

You can configure a simple SSL VPN on a router, essentially constructing an HTTPS portal that includes simple port forwarding:

Core#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Core(config)#hostname Core
Core(config)#ip domain-name oreilly.com
Core(config)#aaa new-model
Core(config)#aaa authentication login local_auth local
Core(config)#username ijbrown secret ianspassword
Core(config)#username kdooley secret kevinspassword
Core(config)#crypto pki trustpoint WEBVPN
Core(ca-trustpoint)#enrollment selfsigned
Core(ca-trustpoint)#rsakeypair WEBVPN 1024
Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly
Core(ca-trustpoint)#exit
Core(config)#crypto pki enroll WEBVPN
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-3299111097.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

Core(config)#interface Loopback0
Core(config-if)#ip address 172.25.100.2 255.255.255.255
Core(config-if)#exit
Core(config)#webvpn enable gateway-addr 172.25.100.2
Core(config)# Core(config)#webvpn
Core(config-webvpn)#ssl trustpoint WEBVPN
Core(config-webvpn)#ssl encryption 3des-sha1
Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal"
Core(config-webvpn)#url-list COOKBOOKURLS
Core(config-webvpn-url)#heading "Cookbook URLs"
Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"
Core(config-webvpn-url)#url-text "Perl Cookbook" url-value
"http://www.oreilly.com/catalog/perlckbk2/"
Core(config-webvpn-url)#heading "Cisco URLs"
Core(config-webvpn-url)#url-text "The Books" url-value
"http://www.oreilly.com/pub/topic/cisco"
Core(config-webvpn-url)#exit
Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23
Core(config-webvpn)#exit
Core(config)#end
Core#

Cisco introduced WebVPN functionality on IOS routers in Version 12.3(14)T. This feature is only available on Cisco 1800, 2800, 3700, 3800, and 7200 series routers, and on Cisco 7301 routers.


Discussion

We should start by stressing that the Secure Socket Layer (SSL) WebVPN options available on an IOS router are severely limited compared to those available on dedicated VPN concentrator devices, such as the Cisco VPN 3000 series devices. In particular, the IOS version of WebVPN only supports SSL Version 3, and not Transport Layer Security (TLS), it doesn't support Cisco Security Desktop (CSD) or Cisco SSL VPN Client software, and it doesn't support Macromedia Flash URLs.

On the client side, you can run essentially any SSL-enabled browser such as Mozilla, Firefox, Internet Explorer, or Netscape. For full functionality, you must also have Java enabled on the browser, as WebVPN uses Java to handle the application port forwarding through the browser.

We begin this recipe by specifying the router's name and the domain name. This is because, as we mentioned in Recipe 12.5, this information is required for the key generation process:

Core(config)#hostname Core
Core(config)#ip domain-name oreilly.com

We then enable AAA, configure local user authentication, and define the usernames and passwords. Note that you could also use a Radius or TACACS+ server for this purpose, as we discuss in Chapter 4. If you have a lot of users, it is much easier to manage them on a central server:

Core(config)#aaa new-model
Core(config)#aaa authentication login local_auth local
Core(config)#username ijbrown secret ianspassword
Core(config)#username kdooley secret kevinspassword

Next, we need to define the certificate that we will use for the SSL connection. For simplicity we will use a self-signed certificate. In general it is preferable to use a trusted certificate authority rather than self-signed certificates, but for a purely internal purpose like an SSL VPN portal for enterprise users, self-signed certificates should be fine.

First, we must define the properties of the certificate:

Core(config)#crypto pki trustpoint WEBVPN
Core(ca-trustpoint)#enrollment selfsigned
Core(ca-trustpoint)#rsakeypair WEBVPN 1024
Core(ca-trustpoint)#subject-name CN=WEBVPN OU=cookbooks O=oreilly
Core(ca-trustpoint)#exit

In this case, we have stipulated that the certificate is to be self-signed and that we want to use 1024-bit RSA keys. The subject-name command allows you to specify other options in the certificate. This example sets the Organization (O=) and Organizational Unit (OU=) fields.

Next we create the certificate:

Core(config)#crypto pki enroll WEBVPN
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-3299111097.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]:yes
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

As you can see, this router already had a self-signed certificate. You can only have one such certificate on a router at a time, so creating this new certificate has destroyed the old one.

This router happens to be running the HTTPS administrative access system, which is already listening on TCP port 443. Because the SSL VPN will also use this same port, we have to be careful to assign it to its own IP address. For this purpose, we have created a new Loopback interface. We then simultaneously enable the WebVPN feature and assign the address to the process by using the webvpn enable command:

Core(config)#interface Loopback0
Core(config-if)#ip address 172.25.100.2 255.255.255.255
Core(config-if)#exit
Core(config)#webvpn enable gateway-addr 172.25.100.2

Next, we configure the actual HTTPS portal that users will see when they point their web browsers to this address. First we associate the SSL trustpoint with the certificate that we just defined, and then we specify that we will use Triple DES encryption with an SHA1 hash over the connection:

Core(config)# Core(config)#webvpn
Core(config-webvpn)#ssl trustpoint WEBVPN
Core(config-webvpn)#ssl encryption 3des-sha1

Other encryption methods are available, including single DES with SHA1 hashing:

Core(config-webvpn)#ssl encryption des-sha1 

Or you can opt for RC4 encryption with an MD5 hash:

Core(config-webvpn)#ssl encryption rc4-md5

In our example, we opted for the most secure of the three options.

Then, if necessary, we can set up some links on the web page using the URLs of web sites to make it useful as a portal:

Core(config-webvpn)#title "Cisco Cookbook WebVPN Portal"
Core(config-webvpn)#url-list COOKBOOKURLS
Core(config-webvpn-url)#heading "Cookbook URLs"
Core(config-webvpn-url)#url-text "Cisco Cookbook" url-value "http://www.oreilly.com/catalog/ciscockbk/"

There are many additional options available to make this web portal function more aesthetically pleasing on the screen, including the ability to alter colors and even include GIF or JPEG images. We encourage the reader to simply play with the different options and find a scheme that suits their organization.

And, most usefully, we can define port-forwarding rules:

Core(config-webvpn)#port-forward list SERVERLOGIN local-port 20003 remote-server 172.25.1.1 remote-port 23

In this example, we have configured only one very simple rule called SERVERLOGIN for telnet access to a particular server. Once the user has connected to this WebVPN screen, they can use their local telnet application and use it to connect to their own loopback address, 127.0.0.1, on the specified port20003, in this case. This connection is then intercepted by a Java application on their local system and redirected through the SSL connection and over to the destination IP address.

In a similar way, you could configure an email application to connect to a particular local port and the same workstation loopback address. Java will then redirect this traffic to the router, which will use another port-forwarding rule that you have defined to send it to the email server. For example, here is a rule for forwarding POP services:

Core(config-webvpn)#port-forward list POPEMAIL local-port 20004 remote-server 172.25.1.1 remote-port 110

In this case, your workstation's POP mail client would be directed to get its mail from the address 127.0.0.1 and TCP port 20004.

See Also