what measures are necessary or recommended to lock down a IOS VPN gateway (2621, IOS 12.1.2) using IPSec for remote access?
The obvious I can think of is only to allow UPD 500 and protos 50/51 (we will only use ESP/tunnel) on the external interface. Mode config is used to assign an private IP internally; cert-based authentication.
Does anyone have any pointers or advice? I am sure that this is an issue that many people are (should be) interested in, but I could not find anything... :(
Firewalling is a separate issue altogether from VPN. If you have the Firewall feature set on your router, you can activate that or better yet, set a firewall out in front of the router. Search Cisco for CBAC (context-based access control)
Thanks, i agree that firewalling is a different issue. But apart from that is it necessary to 'harden' an IOS-based VPN server? I am also thinking about the VPN policy, i.e. who's allowed to connect and what are they allowed to do?
In our case a firewall be be deployed, but I am sure that many people use a VPN gateway "in front" of the firewall. Then it must be robust enough.
Sounds like you have more of a AAA issue than a Firewall issue. A RADIUS or TACACS+ server can work from an existing NT database to provide Authenticaton and Authorization (who can connect and what are they allowed to do) for VPN clients. Windows2000 Server has a RADIUS service (Internet Authentication Service) that will do the trick. WindowsNT will require a third party Security Server solution (CiscoSecure ACS, Steel-Belted RADIUS, etc.)
Employing CBAC(Firewall IOS) is a good idea on any access router, that coupled with an access list that allows only protocols 50 & 51 (AH & ESP) and UDP port 50 (ISAKMP) will provide excellent protection.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...