General Logic Overview
When establishing a VPN tunnel, ASA firewall matches tunnel-group names based on the following criteria list:
1) Using the IKE ID presented by the remote peer. It may be an IP address (default) or hostname. In some cases this might be an ezVPN group name, for example when you are using Cisco ezVPN client or ezVPN Remote feature.
2) Using the OU (Organization Unit) field from the DN found in digital certificate presented by the peer OR by using the certificate mapping rules. This only works when ISAKMP phase uses digital signatures for authentication. Certificate mapping rules translate the DN (distinguished name) found in the certificate to the tunnel-group name.
3) Using the remote endpoint’s IP address. It’s the last resort rule, and this is the only way to match the identity with PSK (pre-shared keys) and IKE Main Mode.
Before we move any further, recall that IKE uses either of two modes of operation for Phase 1: Main Mode (default) and Aggressive Mode:
a) Main Mode (MM), which is mandatory per RFC, establishes encrypted channel before exchanging the identities.
b) Aggressive Mode (AM), which is quicker than Main Mode, exchanges IDs in “clear text”, while performing DH (Diffie Hellman) exchange and establishing the secure channel. AM is less secure than MM is thus should be less preferred.
IKE MM with PSK
There are some important consequences of MM behavior, when using authentication based on pre-shared keys (PSK). When pre-shared keys are used for authentication, they are also used to generate the shared encryption key for ISAKMP SA (along with the DH generated key). When the ISAKMP responder receives a MM proposal from initiator, and selects authentication based on pre-shared keys, it should start the shared-key generation. This procedure requires to know the PSK of the remote peer in advance. However, there is a problem here – the responder does NOT know the ID of the initiator yet, only its IP address. Therefore, the only way to select the proper pre-shared key in MM is by looking the key up based on the initiator’s IP address. Even if you configure the use of hostnames for IKE IDs with PSK authentication, the keys and tunnel-group names are still looked up based on the IP addresses. This is the unique “feature” of ISAKMP MM with PSK.
IKE MM with digital signatures
Now consider the case when you are using MM with digital signatures (RSA sigs). In this situation, session key is not derived using the pre-shared key configured in both routers. Thus, the responder that accepts the policy based on digital signatures may delay the proper tunnel-group selection until it learns the IKE ID of the initiator. More than that, it may use the information from the DN field of the digital certificate presented by the initiator. By default the subject’s OU field in the certificate is used to match the tunnel group names, but you may configure flexible mapping rules.
In ASA firewall, the following default commands enable tunnel-group name lookup based on the OU (first) than IKE-ID (if present) and finally the Peer IP address:
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
IKE AM and names matching
Let’s see how AM affects the name matching procedure. When the responder receives an AM proposal, the proposal already contains the IKE ID of the initiator, even if the authentication method is PSK. The IKE ID might be and IP address or hostname or just any string (e.g. ezVPN group). The responder may use it to find the local tunnel-group and pre-shared key if needed. Thus, you may utilize tunnel-group names based on hostnames with IKE AM even with PSK authentication.
Activating IKE AM
IKE AM is automatically on with some VPN features, such as ezVPN remote. In order to initiate AM negotiation in ASA firewalls manually, use the command crypto map set phase1-mode aggressive. Enabling this feature in IOS is a bit convoluted. You should configure an ISAKMP profile first and then use it with a crypto map similar to the following:
crypto isakmp profile AGGRESSIVE
initiate mode aggressive
self-identity fqdn
keyring default
!
crypto map VPN isakmp-profile AGGRESSIVE
crypto map VPN 10 ipsec-isakmp
You may globally disable AM in Cisco IOS router using the command crypto isakmp aggressive-mode disable or using the command isakmp am-disable in ASA firewall. This will prevent the devices from accepting or initiaing any IKE AM connections.
Fallback Matching
What happens if none of the configured groups matches? If no specific group is found, the firewall would use the default group that is always present in the system: DefaultRAGroup. Thus, if you don’t have a specific group configured for the remote endpoint, but the authentication using the default group succeeds, the system will use the default policy for the new tunnel. In case you wonder, you may change the default tunnel-group name using the command tunnel-group-map default-group and specify your own group.
Certificate Mapping Rules
When using digital signatures authentication, ASA firewall supports certificate mapping rules to translate the issuer and subject names in the certificate to the tunnel-group name. The rules are configured using the command crypto ca certificate map [] . If no name is specified, the default map named DefaultCertificateMap is used for this purpose. Every entry in this map matches either part of issuer or subject DN in the certificate. For example
crypto ca certificate map MYMAP 10
issuer-name attr cn eq IESERVER1
subject-name co R3
You may match the DN as a whole string, without specifying any particular attribute like the second line does. When you have the map configured, you need to perform the following two steps:
1) Enable the mapping rules using the command tunnel-group-map enable rules.
2) Configure certificate map to tunnel-group mapping using the global commands tunnel-group-map [] .
You may repeat the second step how many times you want to map the particular entry to a tunnel group that exists in the sytem. If you don’t specify the name for the certificate map, the default is DefaultCertificateMap used. Notice that OR logic is implemented by mapping multiple certificate map entries to the same group. Thus, any of the matching entries will result in the incoming session being matched on the same group.
