Configuring WebVPN (SSL VPN)

For this lab you'll need 12.4T image. I'm using:

c7200-advsecurityk9-mz.124-22.T

We have to configure this on 3 main steps:

1. Configure WebVPN gateway (hostname, IP, certificate)
2. Configure WebVPN context (URL lists, Port forwarding, acl, nbns list..)
3. Configure WebVPN group policy (Look and feel on the web interface, access to the resources)

To be sure that I'll be tunneled and not routed, I've applied an access list on the router A. I was very surprised when I logged in on the web server on win2003 host, for which I had a url-list added, and just from modifying the URL from: https://192.168.1.1/http/0/server.mydomain.com/

to:

https://192.168.1.1/http/0/10.10.4.70/ , I was able to reach the Monkey Web Server on the DSL Linux box. After that I've found out that we can apply an ACL to the policy itself, and I got this syslog message:

*Nov 29 23:27:58.883: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.70 ) from user cisco is denied by ACL, and also:

*Nov 30 00:37:03.803: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.60 ) from user cisco is permitted by ACL

All the syntax:

webvpn gateway VPN-SSL hostname SSL-GW ip address 192.168.1.1 port 443 http-redirect port 80 ssl trustpoint TP-self-signed-4294967295 inservice ! webvpn context SSLCTX title "VPN-SSL Page" ssl authenticate verify all ! url-list "MYLINKS"    heading "Quicklinks"    url-text "Homepage" url-value "server.mydomain.com"    url-text "Homepage2" url-value "server.mydomain.com/index2.htm"    url-text "IIS Start page" url-value "server.mydomain.com/iisstart.htm" ! acl "TEST"    permit http any 10.10.4.60 255.255.255.255 syslog ! nbns-list "NBNS"    nbns-server 10.10.4.60 login-message "User/Pass Please" ! port-forward "PF"    local-port 25555 remote-server "server.mydomain.com" remote-port 25 description "MAIL" ! policy group SSL-Policy    url-list "MYLINKS"    acl "TEST"    port-forward "PF"    nbns-list "NBNS"    functions file-access    functions file-browse    functions file-entry    banner "Eureka!"    timeout idle 1800    timeout session 36000 ! default-group-policy SSL-Policy gateway VPN-SSL inservice

For some reason the port forwarding was recognized as local port 25 instead of 25555 as it is in the config. Also I haven't tested the windows file shares, because my win2003 and my laptop were in different workgroups, and I was too lazy to reboot :-)

VPN configuration using certificates

Here we have very similar topology as previous example. The difference is that we have added card NM-1FE-TX on router B, and we connected virtual windows 2003 server which will play the role of CA server. IP address assigned to the server is 10.10.4.60. We have installed support for SCEP protocol on that server as well.  You can download for free (something free from Microsoft? Amazing, isn't it? :-) ) from here: http://download.microsoft.com/download/c/e/e/ceef4ccf-b603-4790-bd9e-f112c3270d2e/cepsetup.exe

Also we have added static routes to the 10.10.4.0/24 network to the routers that needed to reach the CA server. Before to start with configuration, we have to verify that we can reach CA server from all the routers, and that we cannot reach 10.10.3.0/24 network from router A, neither 10.10.2.0/24 network from router D.

After the installation of capsetup.exe file on the CA server, we will get the URL for SCEP enrollment. You need to write it down. In my case is: http://jas-uvjdckpdvov/certsrv/mscep/mscep.dll (What a strange name for a windows server, isn't? :-) At this point all the configuration files are named as: x-confg-u, where x is the router name.

We need to do a bit of preparation before start to configure the peers. We need to make sure that the time and date are the same on the VPN peers as well on the CA server. Probably for this lab the most handy will be to setup CA as ntp server, but I wasn't able to find out how to do that from Windows help :( Also we need to configure domain name, ip host for CA server, and to generate the rsa keys for both peers.

First of all we need to request certificate from a CA. I have experienced some issues during this process, and I'll try to explain them here. After we have configured time and date, domain name, generated rsa keys, and assign an ip host for the CA server, we can continue to the configuration:

A(config)#crypto pki trustpoint jas-uvjdckpdvov A(ca-trustpoint)#enrollment mode ra A(ca-trustpoint)#enrollment url http://jas-uvjdckpdvov/certsrv/mscep/mscep.dll

 The trustpoint name can be something more reasonable, as long it is defined with correct IP address as ip host. I just wanted to be on the safe side here :-) At this point we have defined the URL for SCEP enrollment.

2nd step is to authenticate to the CA. Here is where I have done the mistake, typing my own password. The syntax is:

A(config)#crypto pki authenticate jas-uvjdckpdvov Certificate has the following attributes:        Fingerprint MD5: 396C1E3F 9BDC2D71 641E5077 4E5ADC0D       Fingerprint SHA1: 2EF2F253 B502F445 0EFC947E 2674FD7F A50A76E1 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. A(config)#crypto pki enroll jas-uvjdckpdvov % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this   password to the CA Administrator in order to revoke your certificate.   For security reasons your password will not be saved in the configuration.   Please make a note of it. Password: password Re-enter password:  password % The subject name in the certificate will include: A.darkside.net % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 3B843B84 % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate jas-uvjdckpdvov verbose' command will show the fingerprint. .Oct 16 01:09:58.735: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 5B8E4A75 6320D376 18BB0461 87ED9DFF .Oct 16 01:09:58.743: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: C9620276 3EB6CCC5 D8D6D241 1C931DF5 FD946901 .Oct 16 01:10:01.823: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority

We need to get the password from CA in order our request to be approved. It is stored at: http://localhost/certsrv/mscep/mscep.dll and it is valid for 60 minutes, and it can be used only once, which means you need to refresh that page when you enroll router D :-) After that we should get this wonderful syslog message:

Oct 16 01:17:25.179: %PKI-6-CERTRET: Certificate received from Certificate Authority.

We are almost good to go now. We just need to configure isakmp policy, transform set, crypto map and access list, and to assign the crypto map to the VPN peer interface. Sooo easy :-). I have made another mistake on the access list here. Stupid me... I have created access lists in format: "permit ip any <remote network>", and "permit ip <remote network> any" on both routers. That costs me additional 30 minutes staring at both configurations of the routers, running debug, even raising SDM hoping that it will tell me something more. All that I got were only those very strange lines in the syslog:

Oct 16 01:29:54.055: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.30.6.2 Oct 16 01:29:54.059: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal Oct 16 01:29:54.063: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.30.6.2 remote 172.30.1.2) Oct 16 01:29:54.067: ISAKMP: set new node 1138201416 to QM_IDLE Oct 16 01:29:54.075: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3         spi 1705632040, message ID = 1138201416

You can easy simulate this, by just deleting one line from the access list in the working configuration, and allow ip any any as 2nd line of that access list.

Oct 16 00:02:11.291: map_db_find_best did not find matching map Oct 16 00:02:11.295: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.30.6.2 Oct 16 00:02:11.299: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal Oct 16 00:02:11.303: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.30.6.2 remote 172.30.1.2)

After changing the access-lists in the format: "permit ip <local net> <remote net>", "permit ip <remote net, local net>" finally I got the ping response from the remote network.

Configuration steps for this lab:

1. Set correct time and date, domain name, rsa keys, and assign a ip host for a CA
2. Define the trustpoint, and enrolment mode and url
3. Authenticate on the CA
4. enroll for certificate, with the correct password :-)

You can get the usual files from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-pki.zip

TO BE UPLOADED: vpn-pki.cap, vpn-pki-cap.png

Configuring DMVPN

I spent some time until I reach the working config of DMVPN. DMVPN solution combine IPSec, mGRE and NHRP to achieve scalability that we need when implementing the solution. If you get stuck with the CLI configuration, I strongly recommend to configure it with SDM, and then erase and go back to configure it with CLI. The working config that I'll upload is with default naming and settings from SDM. Router B is simulating Internet, Router A is the HUB router, and routers C, D and E are the spoke routers. All the spoke routers have defined default gateway on their fa0/0 interfaces (in practice, those interfaces should be dynamically assigned by ISP). The NHRP part of the config is a bit tricky, however configuring it via SDM is straight forward.

 

CCIE Blueprint version 3 out

Today Cisco announced version 3 of CCIE Blueprint. You can find it here:

http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html

CCIE Equipment and Software versions for this exam here:

http://www.cisco.com/web/learning/le3/ccie/security/lab_equipment_v3.html

From a first look, the PIX firewall and VPN Concentrators are out of the blueprint, and there is not many other changes:

In Identity Management part there is 2 new topics:

1. Configure LDAP
2. Configure certificate-based authentication

More or less the topic are the same as before.

I was in doubt if the PIX will be in the new version of the blueprint and I wasn't sure which exam should I choose: 642-523 or 642-524 as my next exam, but now is clear that I'll choose the ASA one. Also I'm very happy that VPN concentrators are out, as I don't have any experience with them at all.

Technorati Tags: General

VPN configuration with pre-shared key

 

In this topology I have 4 routers, 2 of them simulating internet (B and C), 2 of them are VPN peers (A and D). I have static routes defined for simplicity. Before start to configure the VPN we need to verify that we can reach peer IP addresses (172.30.1.2 and 172.30.6.2) from router A and D, but we cannot reach 10.10.2.1 neither 10.10.3.1.

A(config)#do ping 10.10.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) A(config)#do ping 172.30.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.6.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/37/92 ms D(config)#do ping 10.10.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.2.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)

At this point I'll save the config files and name them: a-confg-u, b-confg-u…

u will means Unconfigured :P

After I have the IP of the interfaces and routing configured, I’ll keep the configuration only with routing configured, so next time I’ll not play to configure interfaces and routes. I will only switch the configuration files in the net file. This way I’m planning to improve my configuring speed when the time for the big lab exam will come. Also there I’ll keep the network diagram, and in the diagram at the bottom, I’ll write few remarks/guides. I’ll upload all the net files, all config files only with routing, the finished config files and my diagrams as well. Hope someone will find them useful in the future. I’m sure that I’ll find them useful after 6-9 months :P

I have decided not to write detailed steps how to configure all the steps. You can find that information everywhere, and I don't see any point to make a copy paste from the console. Those posts are meant to be used 1-2 weeks before the CCSP exams, and 1-2 months before the LAB exam. I think there might be exceptions of the configurations that are long and hard to remember.

Steps required for configuration of site to site VPN with preshared key:

1. Setup ISAKMP policy (IKE Phase 1) + pre-shared key
2. Setup IPSec Transform Set (IKE Phase 2)
3. Define interesting traffic (access-list)
4. Setup crypto map (type of IPSec ISAKMP/Manual, match ACL, set peer, sa, transform set) (syntax: crypto map MYMAP 156 ipsec-isakmp)
5. Assign crypto map on interface

_____________________________________________

After the configuration you should try to ping from router A or D with source address from 10 network:

D#ping 10.10.2.10 source fa0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.2.10, timeout is 2 seconds: Packet sent with a source address of 10.10.3.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/48 ms

 

Useful show commands:

• show crypto isakmp sa
• show crypto ipsec sa
• show crypto map
• show crypto session
• debug crypto isakmp
• debug crypto ipsec

The biggest “trouble” I had here was to remember the syntax of step number 4, therefore I added the syntax into the picture diagram above.

The config files with final configuration will be named: a-confg and d-confg.

Files which will be uploaded:

• vpn-pre-shared-key.doc
• vpn-pre-shared-key-small.png
• vpn-pre-shared-key.net
• a-confg-u, b-confg-u, c-confg-u, d-confg-u (conf files with routing configured)
• a-confg, d-confg (working VPN config).

UPDATE: I have added a capture and a few wireshark screenshots

There you can see 6 ISAKMP Phase 1 packets, and 3 Quick mode

Phase 2 packets. First 2 ISAKMP packets are policy negotiation.

Second pair ISAKMP packets are DH Exchange.

3rd pair is Identity information's exchange (pre-shared key)

This is the first encrypted packet.

Phase 2 (Quick mode) is done in 3 packets:

1. Requestor sends IPSec SA proposal, with optional info if

Perfect Forwards Secrecy (PFS) will be used.

2. Responder check the proposal and sends back an answer

3. Requestor send an confirmation that SA have been negotiated

After this process the data encryption will start.

Plans for the future post:

To be made analyses with unsuccessful connections.

You can get them from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-pre-shared-key.zip

to be uploaded: vpn-pre-shared-key-cap.zip

 

First post

I didn't believe in such things like blogs when they first appeared in the web world.
Right now I find them very informative, and I'm reading occasionally 4-5 of them.
Inspired by Tassos (http://ccie-in-3-months.blogspot.com/), I'm creating my first post today, and hope that this place will survive for 15 months. I'm planning to post my configurations (dynagen files, and drawings (I hope) ) of most of the labs that I will perform to obtain Security certificate from Cisco.
Estimated time for LAB exam is somewhere in november 2009 for now. Today I passed SND, and I have 4 exams more before reaching written and lab exam
Let the journey begin!