cisco ccie security attempt

Test radius authentication on cisco

2010-10-19T10:20:00.000+02:00

There is a handy test commands once you've configured radius/tacacs and you're wondering if the authentication is working as expected. I've tested it on 3750 and 2800 with the specified versions of IOS below. According to cisco it should work from 12.2(28)SB.

SW#sh ver
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
SW#test aaa group radius server 1.2.3.4 auth-port 1645 user correctpass new-code
User successfully authenticated

SW#test aaa group radius server 1.2.3.4 auth-port 1645 user wrongpass new-code
User rejected

and on my 2800 router:
(C2800NM-ENTBASEK9-M), Version 12.4(13d), RELEASE SOFTWARE (fc2)

R1#test aaa group radius user correctpass new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

R1#test aaa group radius user wrongpass new-code
Trying to authenticate with Servergroup radius

Note that on 2800 if the authentication is not successful you dont get any output for it. Could be a bug solved in later versions, or might be working as designed ;-)

Get rid of console timeout on GNS3/dynamips

2010-03-27T22:32:00.000+01:00

One of the things that I hate is the processor to be cycling on 100% while I'm trying to configure something. Most of the time the reason for it is console timeout. I'm using this script on each router to get rid of console timeout, and some other things:

en
conf t
no ip domain-lookup
no cdp log mismatch duplex
line console 0
exec-timeout 33333
end
wr

That will setup the timeout to 3 weeks and 2 days, and your processor can breath a bit ;-)

Enjoy!

Troubleshooting BGP Flowchart

2010-03-23T12:55:00.000+01:00

Amazing... just came across this flowchart. It is interactive as well!

Destination NAT (Outside NAT) on Cisco and xlate flags

2010-03-14T12:53:00.000+01:00

The task was extremely simple. The packet with: SRC: 10.111.0.0/24, DST: 192.168.252.10, needs to be translated to: SRC: 10.111.0.0/24, DST: 10.100.252.10. Having extensive amount of all kinds of NAT done on Checkpoint (you can do that with 3 clicks on Checkpoint), I thought this will be piece of cake. It took me 4-6 hours, going through many Cisco FWSM examples and I had to write to IPexpert CCIE Security mailing list for help.

I started to look for a way to use static (outside, inside) I as thought the first interface is the interface which will hit the packet. It turn out that I'm totally wrong, and it doesn't matter the order in the static statement as long the first statement match the real interface and the second interface match the mapped interface.

At the end the config was:

static (inside,outside) 192.168.252.10 10.100.252.10

We can use: show xlate debug to verify the NAT:

NAT from inside:10.100.252.10 to outside:192.168.252.10 flags si idle 0:00:33 timeout 0:01:00 connections 0

Note the "si" flag above. The list of all flags:

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static

For explanation for each flag, check the table named: Translation Flags in the command refference for the version of the FWSM/ASA.

Also few days ago, Cisco announced that they will do changes also on NAT in ASA version 8.3.

NAT on FWSM and not good syslog message

2010-03-02T18:21:00.001+01:00

Syslog is absolutely my best friend in troubleshooting Cisco firewalls. Today, I got surprised by getting so "usual" message for such unpredictable issue. I hope Cisco can add new syslog message for this issue. I've checked version 4.1 documentation of syslog messages, and I wasn't able to find syslog message when traffic is dropped due to passing between interfaces with same security levels.

Today I was doing some NAT setup on FWSM 3.1. I wasn't sure that the config will work as there is no example on configuration guide for 2 nat statements with same number on same interface with different source addresses. However there was an example of this in the config guide for version 4.0 (Figure 15-15), so I wanted to try it if it will work. The configuration is below:

nat (if1) 1 192.168.16.0 255.255.240.0
nat (if1) 1 192.168.32.0 255.255.224.0
nat (if1) 1 192.168.64.0 255.255.192.0
nat (if1) 1 10.101.0.0 255.255.0.0
nat (if1) 1 10.114.0.0 255.255.0.0
nat (if1) 1 10.128.0.0 255.128.0.0
nat (if2) 1 10.216.0.0 255.255.0.0
nat (if3) 1 10.100.0.0 255.255.0.0
global (if4) 1 8.8.8.8

Everything worked as expected except the connections from if2. Looking at the log I got this message:

Mar 2 16:07:12 10.100.255.20 %FWSM-3-106011: Deny inbound (No xlate) tcp src if2:10.216.20.1/37377 dst if4

I've checked the access-list, and the hitcounts were there, so next step in the traffic flow is matching of xlate table. I've removed the specific nat statement, re-tried and same message. I've added it again and re-tried, and again the same message. It took some time until I got the idea to check the security levels on the interfaces, and I got this:

FWSM/context#show nameif
Interface                Name                     Security
ethernet2                if1                       25
ethernet4                if2                       20
ethernet3                if4                       20
ethernet1                if3                      100
ethernet5                if5                       20

After permitting traffic on same security levels interface, I got the connection:

FWSM/context# show runn same-security-traffic
same-security-traffic permit inter-interface

FWSM/context# show xlate debug | grep 10.216.20.1
TCP PAT from if2:10.216.20.1/34305 to if4:8.8.8.8/1039 flags ri idle 0:00:20 timeout 0:00:30 connections 1

FWSM/context# show conn detail | grep 10.216.20.1
TCP out 10.111.0.1:23 in 10.216.20.1:54785 idle 0:00:02 Bytes 64 FLAGS -

Next challenge, BGP

2010-02-28T19:18:00.001+01:00

After passing CCDA, my next adventure will be BGP. I'll use 2 sources, both of them recommended from my 2 colleagues who are CCIE holders.

- Internet Routing Architectures

According to my colleagues this is the BGP bibles. I've been through the first 4 chapters, and I cant wait to finish it.

In meantime I'll do some labs and troubleshooting using the book below (you should expect uploaded dynamips files and diagrams here in near future, unless I get extremely busy or lazy ;-) )

- Routing TCP/IP volume II

Jeff Doyle has a blog as well.

And off course I'll consult one of the best (if not the best one) networking blog from BGP/MPLS guru Ivan.

I'll keep you posted on this, I'm sure. In meantime if someone stumbled accross my messy blog, and have found another place with configuration tasks with solution in BGP, please leave a comment.

Thank you!

First design exam, Cisco CCDA

2010-02-28T19:02:00.001+01:00

Earlier this week I vent on CCDA. It wasn't that easy as I expected, but I got somewhat lucky and I was able to pass it with 87%. Passing score is around 82,5%.

There were a lot of question from Security, Routing, VoIP, QOS and Wireless. Extensive amount of questions came from SONA and Hierarchical design methods (Access / Distribution / Core layers) Some of the questions were tricky and took some 10 minutes calculation before answering.

I would like to share the books that I've used for preparation for this exam:

- Top-Down Network Design

I've been through this book page by page. I've enjoyed every second spent on it, as it tries to teach you how to think before designing some topology. Also the resources on the web page can be very helpful for the future. Highly recommended!

- CCDA Official Exam Guide

After top-down book, I've been through Wireless and VoIP chapters from this book, and briefly reviewed routing part. Last week before the exam, I've been through summary part of each chapter, and used the quick reference guide:

- CCDA Quick Reference Sheets.

Make sure that you're very well prepared before sitting on this exam. It is tricky, and it covers a lot of material.

Good Luck!

nat-control

2010-02-23T13:03:00.001+01:00

There are times when you think that access-list have some problems, and then you'll find out that the hitcounts are increasing. You're almost sure that the traffic is passing, but you cant find connection in the connection table? You've checked syslog and you've found one of those beautiful syslog messages:

%ASA-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%ASA-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

%FWSM-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%FWSM-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

We'll most probably you have nat-control enabled. You can verify it using the following command:

FWSM/CONTEXT# show runn nat-control
nat-control

Well, what is nat-control then? Nat-control is feature on Cisco firewalls to maximise the security. When it is enabled, each packet MUST match a NAT rule in order to pass the firewall. It is important to keep in mind that even packets initiated from HIGHER security level interface (inside) MUST match a NAT rule in order for the packet to be processed to lower security interface (outside). Nat-control is disabled by default.

Going aside - Network Design

2010-02-06T11:27:00.001+01:00

I've started to get more responsibilities of proposal of new solutions to our customer, not only related to security, I've decided to go through some design books, and maybe attempt a design exam from Cisco as well.

About CCSE, I'll wait for Bobby video to came out in February, and I think that should fill the gap needed for me to pass CCSE.

In meantime few days I go, I came across this book. What I like about it that it is not exam oriented, like certification guides, but it is more oriented to teach you how to think as designer.

Also very useful resources on author book site.

For me now there are 2 path's:

1. CCSE, CCIE Security Written and CCIE lab.

2. CCDA, then BGP, a bit of voice, and then CCDP.

Will depends on what role I'll have in the future of the project. Anyway, I'm sure I'll enjoy both path's.

Portchanneling, or how to bring the LAN down

2010-02-04T15:17:00.001+01:00

I had a lot of fun doing LAN refresh implementation on site for our client last 18 months. Sites were somewhere between 100 - 700+ users, and the number of switches were from 5 - 40. Gathering information's for their existing LAN, Preparing the design and configuration is one thing, on site implementation is something different, more challenging and more interesting.

Yesterday I've found out that is extremely easy to break such LAN remotely. With 1 move we've lost access to the core switch, whole site was down for 5-10 minutes, and after reloading of the core switch, and re-configuring everything was fine.

The task was to move a server from one VLAN to another, and to force that server to communicate with the site through the firewall installed on site. The routing function for the new VLAN is done by an UTM-1 Egde firewall, which is connected to the core switch. The server was connected on Access switch (same as the WAN router). I've made a step-by-step explanation for my colleague who had to perform the task, and I've made 1 mistake about portchanneling. I've asked him to modify the physical interfaces, instead of portchanneling interface. As soon as he started with the change, I got call from him that the site is down. I vent to his PC and I see the putty session with last command entered: "switchport trunk allowed vlan add 201" as instructed. Everything was down, so we called on site, they confirmed that site is down, and we asked the switch to be reloaded. It took 5-10 minutes, and we checked the command reference for portchanneling in meantime. One of the mistakes was that switchport configuration was edited on PHYSICAL interface, instead of virtual PORTCHANNEL (Po5) interface. After reload my colleague added the new VLAN on the Portchannel interface of the Access Switch first, and then added it on the Portchannel interface of Core switch, and everything vent ok. (the physical interfaces config got updated automatically as expected). Change vent fine, that server was migrated, and all the NATted connections towards the server were working as expected.

The "mystery" remained... why the heck we lost access to the Core switch? The Core switch have loopback interface and even that was not reachable until the switch got rebooted. I was enlighten by one of our colleagues, a CCIE R&S holder.

On 158 of the 160 sites, the WAN Router (Provided by ISP) is directly physically connected to the Core Switch. On 2 of the sites (I got this info today) the WAN router wasn't placed in the same room as the Core switch, and then we use portchannel bundled with 4 or more Gigabit physical interfaces, between the Core switch and the "Access" switch which is physically connected to the WAN router. Off course I didn't check if this was the case. So the logical L3 diagram was like :WAN->CORE---->ACCESS, but physically they were like: WAN->ACCESS---->CORE. By breaking the portchannel between the Core and Access switch, we lost access to the Core Switch, as the Core Switch wasn't physically connected to the WAN router.

Lessons learned:

1. Verify the network diagram. Verify if the configuration of the device corresponds to the diagram. (This should take less then 10 minutes, you can find outputs below)

2. Check the command reference and/or examples in case you haven't done the task recently (add vlan on a port-channel)

3. Do not make too many assumptions.

CORE#show ip route
S* 0.0.0.0/0 [1/0] via 10.122.134.1

CORE#show arp | inc 10.122.134.1
Internet 10.122.134.1 24 0000.0c07.ac01 ARPA Vlan100

CORE#show mac address-table | inc 0000.0c07.ac01
100 0000.0c07.ac01 DYNAMIC Po5

CORE#show int po5 | inc Members
Members in this channel: Gi1/0/5 Gi1/0/6 Gi2/0/5 Gi2/0/6

CORE#show cdp nei Gi1/0/5
Device ID Local Intrfce Holdtme Capability Platform Port
ACCESS Gig 1/0/5 120 S I WS-C3750- Gig 1/0/1

Change password on non-admin user in SPLAT

2010-02-02T17:08:00.001+01:00

Unbelievable, but true.

Passwd command is used by Checkpoint to change ONLY expert password :-)

Do not try to use "passwd <username>" as that wont do the job :-)

[Expert@nd00001]# passwd
Enter new expert password:
[Expert@nd00001]# passwd user
Enter new expert password:

After a bit of scratching my head I got this:

[Expert@nd00001]# which passwd
alias passwd='/bin/expert_passwd'
/bin/expert_passwd
[Expert@nd00001]# more /bin/expert_passwd

******** /bin/expert_passwd: Not a text file ********

Luckily there is still good old passwd stored in /usr/bin/:

[Expert@nd00001]# /usr/bin/passwd test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

This strangely reminds me on the good old "su" hack. Lessons learned from that hack is: "Make sure you ALWAYS use full path to your binaries!!!"

Checkpoint confirmed that in a bit strange way ;-)

Download backup from SmartCenter using SCP

2010-02-02T16:58:00.001+01:00

SFTP didn't worked on R62, and I decided to try SCP. I had to check CPUG in order to get this done :-)

Basically this is what you need to do:

1. Download PSCP

2. Edit /etc/scpusers file, adding your username into the file, 1 user per line

3. Change the shell to /bin/bash for your user in /etc/passwd

4. Restart ssh deamon: "service sshd restart"

5. Use command similar to:

C:\Documents and Settings\USER\Desktop>pscp -scp
user@10.100.2.20:/var/CPbackup/backups/backup_hostname.domain.com_2_2_2010_10_47.tgz
F:\Provider\backup\backup_hostname.domain.com_2_2_2010_10_47.tgz
user@10.100.2.20's password:
backup_hostname.domain.com_2 | 236672 kB | 9466.9 kB/s | ETA: 00:02:15 | 15%

That's all!

P.S. Dont forget to check md5 checksum after you got that file transferred ;-)

CheckPoint CCSE Failed with 63%

2010-01-23T10:01:00.001+01:00

It is my first failure on certification exam, and I've been on more then 10 exams so far.

My feeling studying for this exam is that Checkpoint doesn't teach you how the things work according to RFC, but where to click in the GUI in order something to work.

I was amazed again from exam quality. 3 of the questions were repeated with different answers. 4-5 of the questions I wasn't able to understand. There was a mistake in the questions instead of "process" was mentioned "device", and thing like that.

I got 50% on remote access, VPN :-) , Clustering, and 60% on Site-to-Site VPN :-) And there was plenty of theoretical questions on the exam. I hope they can verify their theoretical questions, as really they were close to impossible to understand them. Also they are not following the RFC terminology on the technical questions. With my background in Cryptography and hands on practice on VPN with the product, I shouldn't have any problem getting 100% on many of the topics.

But, always look on the bright side of life :-)

The plan is to show up once more in 2 weeks. In meantime I'll go through the material one more time, and I'll blog my notes for each topic.

That will definitely be my last exam in Checkpoint. I dont think it is worth to spent time, money and nerves on exam with such poor quality.

Checkpoint CCSE, 1 week before exam day

2010-01-18T10:03:00.000+01:00

I've been through most of the material so far, except SSL Network Extender and Clientless VPN. I'll do this tonight, and I'll book my exam either on friday this week, or monday next week.

Few notes so far: I advise you to go through material in the following order:

1. Upgrade Chapters

2. High Availability and Cluster XL

3. VPN theory chapters

4. Site to Site VPN chapters

5. Remote Access VPN chapters

The reason for that is because in VPN chapters there are a lot of ClusterXL related stuff, and I had to go back and forward between them all the time, so I decided to go through ClusterXL before VPNs.

Note that Load Sharing mode will not work with 15day licence. You need to licence your virtual machines, before making those labs. There is 30 day evaluation version on the CD which comes with the book.

You can find details of used materials here.

Checkpoint CCSE Progress

2010-01-13T18:00:00.001+01:00

I've decided to prepare for this exam, as I dont have experience with Remote Access and ClusterXL. Those 2 topics will take most of the time for my practice with the virtual machines.

I got soft copy of Check Point Security Administration II NGX 1.1 from a colleague who was on the course in 2007, and I'll use that book for the labs.

For the theoretical part, I've decided to use Checkpoint Official guides, as it will be easier for the future. I'll review the theoretical part in the official course book as well.

I expect to sit on exam in 2-3 weeks.

You can find more details here

Checkpoint CCSA passed with 81%

2010-01-08T14:23:00.001+01:00

Yesterday I've passed the exam with 81%. The score is not that good, because I got 33% on the LDAP questions (I was too lazy to install AD on my Windows 2003 machine, and there were 7-8 LDAP questions) The rest of the topics vent fine with some of them above 70% and most of them above 80%. I've finished 5 topics with 100%.

Few questions on the exam were rather strange, and I wasn't able to understand them, even after 5 times reading. One of the questions had multiple choice answer (from 5 options) and 1 of the answer offered was: 1, 3 and 3 :) I've wrote a comment on that question, so I hope no one will get it again. There were 7-8 questions from general Network Security, not related to Checkpoint products at all.

Except the sources specified in this post, I've used the following:

- QOS Chapter from NGX II version 1.1 book

- SmartDefense white paper

- 2 very good blogs/sites: fir3net and netl33ts

Good Luck!

DHCP Snooping on Cisco Switches

2010-01-06T10:58:00.000+01:00

DHCP protocol is widely used and have security issues as it was build long time ago before there was need for network security. Cisco have implemented several enhancements in IOS to (partially) protect and stop most of the DHCP attacks. Port Security, DHCP Snooping, IP Source Guard and Dynamic ARP Inspections are mostly used these days.

DHCP Snooping is a security feature which protect the network clients to receive IP settings from rogue DHCP servers. Ports can be classified into 2 types: trusted and untrusted. Ports which are connected to a authorized DHCP servers have to be configured as trusted. All the rest should be configured as untrusted (the default value). Trusted ports are bypassed from DHCP Snooping validation. DHCP Snooping feature can be enabled per Vlan.

Enabling this feature will create DHCP Snooping binding database with support up to 8192 entries. In that database there are records for: IP address of the client, MAC Address of the client, DHCP lease time, Interface on which the client is connected and VLAN number (there are also checksums for each entry and one checksum for the file)

The switch is comparing Source MAC Address with DHCP CHADDR (Client Hardware Address). If those 2 addresses match, packet is forwarded. In other case, the packet is dropped.

The switch will drop the packet if:

Packet originated from DHCP server is received on untrusted port
The Source MAC Address is different then the CHADDR
The switch receive a DHCPRELEASE on interface for a MAC address which doesn't match the interface in the DHCP Snooping binding database
DHCP relay agent forwards a packet that includes option-82 information to an untrusted port. (this situation will be covered in another post, as I've experienced this in practice recently)

Example of DHCP Snooping configuration:

Switch(config)# ip dhcp snooping
Switch(config)ip dhcp snooping vlan 101-102,104,301,1000

Show commands:

show ip dhcp snooping

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
101-102,104,301,1000
DHCP snooping is operational on following VLANs:
101-102,104,301,1000
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

show ip dhcp snooping binding

Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec) Type           VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:21:70:15:EA:8D   10.216.20.55     244958      dhcp-snooping   101   FastEthernet3/0/22
00:1C:23:4F:F3:DD   10.216.20.43     244166      dhcp-snooping   101   FastEthernet1/0/10
00:1C:23:4F:F3:10   10.216.20.37     246563      dhcp-snooping   101   FastEthernet4/0/16
00:1C:25:97:57:63   10.216.20.42     258392      dhcp-snooping   101   FastEthernet4/0/23
00:1C:23:4F:E6:E1   10.216.20.30     240567      dhcp-snooping   101   FastEthernet3/0/18
00:21:70:15:E9:14   10.216.20.26     152945      dhcp-snooping   101   FastEthernet3/0/2
00:1C:23:5A:F7:93   10.216.20.34     160704      dhcp-snooping   101   FastEthernet2/0/9
00:1C:23:4F:F6:4B   10.216.20.45     245043      dhcp-snooping   101   FastEthernet1/0/14
00:1C:23:4F:F4:24   10.216.20.48     97990       dhcp-snooping   101   FastEthernet3/0/12
00:1C:23:4F:F6:BF   10.216.20.36     244629      dhcp-snooping   101   FastEthernet1/0/21
MacAddress          IpAddress        Lease(sec) Type           VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:E8:BC:FF:6E   10.216.20.54     252080      dhcp-snooping   101   FastEthernet2/0/12
00:22:68:13:55:A8   10.216.20.47     253335      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:F2   10.216.20.31     252408      dhcp-snooping   101   FastEthernet2/0/19
00:1E:C9:70:D4:F2   10.216.20.82     201709      dhcp-snooping   101   FastEthernet3/0/16
00:0F:1F:EA:23:04   10.216.20.69     226910      dhcp-snooping   101   FastEthernet4/0/14
00:21:70:15:F8:06   10.216.20.32     243896      dhcp-snooping   101   FastEthernet3/0/1
00:21:70:15:EA:0E   10.216.20.57     158323      dhcp-snooping   101   FastEthernet3/0/10
00:21:70:15:EB:78   10.216.20.41     248641      dhcp-snooping   101   FastEthernet2/0/21
00:21:70:16:00:9D   10.216.20.38     159319      dhcp-snooping   101   FastEthernet2/0/11
00:21:70:15:EB:15   10.216.20.59     247514      dhcp-snooping   101   FastEthernet2/0/18
00:1A:6B:D4:53:C5   10.216.20.52     248756      dhcp-snooping   101   FastEthernet4/0/23
MacAddress          IpAddress        Lease(sec) Type           VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1C:25:97:81:55   10.216.20.51     255468      dhcp-snooping   101   FastEthernet4/0/20
00:22:68:13:28:40   10.216.20.40     255690      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:C9   10.216.20.33     242025      dhcp-snooping   101   FastEthernet4/0/17
00:21:70:15:FF:E1   10.216.20.46     250732      dhcp-snooping   101   FastEthernet1/0/18
00:1C:23:5A:F7:EE   10.216.20.27     241494      dhcp-snooping   101   FastEthernet2/0/10
00:24:E8:D5:CF:9E   10.216.20.60     244181      dhcp-snooping   101   FastEthernet3/0/15
00:21:70:AF:C0:BF   10.216.20.53     243784      dhcp-snooping   101   FastEthernet4/0/19
00:21:70:B0:48:68   10.216.20.49     246445      dhcp-snooping   101   FastEthernet5/0/20
00:1C:23:4F:86:F4   10.216.20.44     242733      dhcp-snooping   101   FastEthernet1/0/15
00:1C:23:4F:F4:DB   10.216.20.35     239051      dhcp-snooping   101   FastEthernet2/0/2
00:21:70:15:FB:FF   10.216.20.87     243821      dhcp-snooping   101   FastEthernet3/0/6

show ip dhcp snooping statistics detail

Switch#show ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping                    = 1823
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 680
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

And log messages when some PC are trying to use different MAC address then their hardware address:

Jan 6 09:55:47.405 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan 6 09:57:42.085 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
Jan 6 10:01:29.406 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan 6 10:03:33.086 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763

Upgrade of libsw package on Provider-1

2010-01-05T15:59:00.001+01:00

Recently we purchased new UTM-1 Edge firewalls, and we ship some of them to a site far away in Northern Norway (without testing them in the lab first, off course ;-) ). On our surprise they came up with version 8 of firmware, all of other firewalls had version 7.5 and our Smart Center had support for 7.5 only. After the installation of the policy on the Edge device, in the log of the Edge firewall came up this message: "Wrong update version in policy (got policy 655 instead of 700)". Checkpoint have published sk31448 for this problem.

P.S. Make sure you backup your old libsw files, before upgrading to the new version.

Checkpoint CCSA instead of CCIE Written

2010-01-01T22:57:00.001+01:00

Just decided to do CCSA before CCIE Written.

I have more then 4 years of experience with Checkpoint products, but I've never sit down to read for some of their products that I haven't used. I've done few installations of the firewalls, I've created approximately 50 site to site tunnels using Edge or 3rd party devices.

Now this decision came up because most probably I'll get a task to upgrade complete Checkpoint Infrastructure for our client from R62 to R65/R70, and I decided to work on it. After 1 month work approximately 2-3 hours per day, I'm 1-2 weeks away from exam date.

If you decide to do that I encourage you to use the following:

1. Install Smart Center and Firewall on SPLAT, test Windows (AD server) host and/or Backtrack test host and do your own labs at home

2. I've used this R65 book

3. CCSA CBT Nuggets

4. CPUG Group Forums

I'll update you with my exam experience once I sit on it.

IPSec Source for the Written/Lab Exam

2009-12-07T15:56:00.001+01:00

It is my 3rd time reading the IPSec chapter and each time I'm learning some new details. One day I'll go through whole book, although some of the chapters are bit outdated. The link to the book:

http://www.amazon.com/Security-Principles-Practices-Professional-Development/dp/1587050250

Also I had privilege to attend recorded session from 2008 Networkers named: "Advanced Topics in Encryption Standards and Protocols"

Both of them are highly recommended.

CCIE Security Written Exam, tracking my progress

2009-12-03T13:47:00.001+01:00

I'm preparing for this exam, and I've decided to share a spreadsheet in which I'm tracking my progress and taking a note of the source that I'm using for the specific topic.

You can check my spreadsheet here:

http://spreadsheets.google.com/pub?key=tSdRewJTdEco1FVg2EgJznA&output=html

The plan is to take the exam in 30-45 days from now.

Recently I've read a good comments for this exams in IP Expert blog:

http://blog.ipexpert.com/2009/11/30/ccie-security-written-overview/

Ethical Hacking interest

2009-11-04T10:42:00.001+01:00

I've started to prepare for Written Exam. I've compared the blueprint with what I've read in the past for the CCSP exams, and seems like I'll repeat 75% of the material. I'll have another post on it, and I'll share the spreadsheet with all the resources that I've used for all the topics.

But I got lazy 2 weeks ago. I'm expressing interest in ethical hacking since 2 years, and I came across this books: Penetration Testing and Network Defense, by Andrew Whitaker and Daniel P. Newman. Very nice, fast read. (There are many screenshots, don't be afraid of the size of the book when you first open it) There are some tools and technics that I haven't heard before. Recommended if you're interested in the "other" side of Security. If you're planning to become an ethical hacker, you need to look into more serious sources. For example, the material for Certified Ethical Hacker will have more then this book.

It took me 2 weeks, spending 2-3 hours per day on it.

CCSP ASA exams

2009-11-04T10:41:00.001+01:00

2 months ago I got my CCSP, the last 2 exams were the ASA ones. Materials that I've used:

Cisco Firewall Mentor Video lessons by David Hucaby
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, by Jazib Frahim
CCSP SNAF Quick Reference, by Andrew Mason
CCSP SNAA Quick Reference, by Ryan Lindfield
CCIE Professional Development Series Network Security Technologies and Solutions, by Yusuf Bhaiji
Demo Version of ASDM version 6.0.3 - There are several scenarios and different setups. It is a demo but it helped me to be more oriented with the ASDM. In SNAF there a many ASDM questions.

Good Luck on the exams!

Improve knowledge in Cryptography

2009-11-04T10:38:00.000+01:00

I would like to share resources that I used to improve my knowledge in cryptography. There are bunch of resources out there, below is the list that I used:

Wikipedia - Probably all of us use it today. I've used it to get high level overview of the protocols.
Video Lectures from University in Washington - http://www.cs.washington.edu/education/courses/csep590/06wi/ - Those guys are incredible. I wish all of my teachers in the past were like them. I've started to do the home works and then stopped on the 2nd lesson. Too tough for me .
The CodeBook from Simon Singh, and his website http://www.simonsingh.net - You can download the Crypto CD-ROM for free from there. I consider myself pretty old for that CD, but I spent hours trying to break those codes there.
Cryptography and Network Security Principles and Practices, Fourth Edition, By William Stallings - I loved it. It took me 45-50 days to get though it, but I enjoyed every second spent on it. All those protocols that you'll find in blueprint are explained in details here.

It took me 3 months, but now I feel much more comfortable with all those protocols. It was time well spent.

Configuring GRE Tunnels

2009-05-18T19:44:00.001+02:00

This looks quite simple. All what we need to do is to configure a tunnel interface, and to point a route to the destination network with gateway the tunnel interface. We are using the same topology as for PKI deployment, and the same config-u files for start.

interface Tunnel0
ip address 172.31.1.1 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 172.30.6.2

ip route 10.10.3.0 255.255.255.0 Tunnel0

From now on, I'll include simple captures in the zip file.

You can get the files from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-gre.zip

Update:

I have made a capture of an http connection between the routers, where you can clearly see GRE in action. The filename is http.cap, and the screenshot is named http-cap.png. Check the source and destination IP addresses, before encapsulation and after the GRE encapsulation. Also I have played a bit with tunnel interfaces. I have changed the IP address of the tun0 interface of router A to 169.254.254.254/24, and left the same IP address on router D and the tunnel was still working. If you remove the IP address of the tun0 interface, you'll not be able to bring up the tunnel.

Conclusion: The tunnel interfaces must have an IP address assigned, but they don't have to be in the same subnet in order for the tunnel to be brought up.

Summary of all PUBLIC IP addresses

2009-05-14T10:47:00.002+02:00

Recently we had to allow all public IP addresses through Cisco FWSM. I was googling for the list, but I wasn't able to find it. It took me approximately 2 hours to have that list compiled, and I decided to share it. Hopefully someone out there will find it useful. Here is the list. Feel free to copy paste it.

network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 254.0.0.0
network-object 4.0.0.0 252.0.0.0
network-object 8.0.0.0 254.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 252.0.0.0
network-object 16.0.0.0 240.0.0.0
network-object 32.0.0.0 224.0.0.0
network-object 64.0.0.0 192.0.0.0
network-object 128.0.0.0 224.0.0.0
network-object 160.0.0.0 248.0.0.0
network-object 168.0.0.0 252.0.0.0
network-object 172.0.0.0 255.240.0.0
network-object 172.32.0.0 255.224.0.0
network-object 172.64.0.0 255.192.0.0
network-object 172.128.0.0 255.128.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 254.0.0.0
network-object 176.0.0.0 240.0.0.0
network-object 192.0.0.0 255.128.0.0
network-object 192.128.0.0 255.224.0.0
network-object 192.160.0.0 255.248.0.0
network-object 192.169.0.0 255.255.0.0
network-object 192.170.0.0 255.254.0.0
network-object 192.172.0.0 255.252.0.0
network-object 192.176.0.0 255.240.0.0
network-object 192.192.0.0 255.192.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 254.0.0.0
network-object 196.0.0.0 252.0.0.0
network-object 200.0.0.0 248.0.0.0
network-object 208.0.0.0 240.0.0.0

Note: Excluded ranges from the list are: 0.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. If you decide to include 0.0.0.0/8 on the list you'll save 2 lines by summarizing: 0.0.0.0/5.

Maybe for your needs you need to reconsider bogons (http://www.cymru.com/Documents/bogon-bn-agg.txt), but then this list will become much bigger.

Configuring WebVPN (SSL VPN)

2008-12-01T09:36:00.001+01:00

For this lab you'll need 12.4T image. I'm using:

c7200-advsecurityk9-mz.124-22.T

We have to configure this on 3 main steps:

Configure WebVPN gateway (hostname, IP, certificate)
Configure WebVPN context (URL lists, Port forwarding, acl, nbns list..)
Configure WebVPN group policy (Look and feel on the web interface, access to the resources)

To be sure that I'll be tunneled and not routed, I've applied an access list on the router A. I was very surprised when I logged in on the web server on win2003 host, for which I had a url-list added, and just from modifying the URL from: https://192.168.1.1/http/0/server.mydomain.com/

to:

https://192.168.1.1/http/0/10.10.4.70/ , I was able to reach the Monkey Web Server on the DSL Linux box. After that I've found out that we can apply an ACL to the policy itself, and I got this syslog message:

*Nov 29 23:27:58.883: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.70 ) from user cisco is denied by ACL, and also:

*Nov 30 00:37:03.803: %SSLVPN-6-WEBVPN_APP_ACL_NET: The request( source ip: 192.168.1.2, destion ip : 10.10.4.60 ) from user cisco is permitted by ACL

All the syntax:

webvpn gateway VPN-SSL
hostname SSL-GW
ip address 192.168.1.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-4294967295
inservice
!
webvpn context SSLCTX
title "VPN-SSL Page"
ssl authenticate verify all
!
url-list "MYLINKS"
   heading "Quicklinks"
   url-text "Homepage" url-value "server.mydomain.com"
   url-text "Homepage2" url-value "server.mydomain.com/index2.htm"
   url-text "IIS Start page" url-value "server.mydomain.com/iisstart.htm"
!
acl "TEST"
   permit http any 10.10.4.60 255.255.255.255 syslog
!
nbns-list "NBNS"
   nbns-server 10.10.4.60
login-message "User/Pass Please"
!
port-forward "PF"
   local-port 25555 remote-server "server.mydomain.com" remote-port 25 description "MAIL"
!
policy group SSL-Policy
   url-list "MYLINKS"
   acl "TEST"
   port-forward "PF"
   nbns-list "NBNS"
   functions file-access
   functions file-browse
   functions file-entry
   banner "Eureka!"
   timeout idle 1800
   timeout session 36000
!

default-group-policy SSL-Policy
gateway VPN-SSL
inservice

For some reason the port forwarding was recognized as local port 25 instead of 25555 as it is in the config. Also I haven't tested the windows file shares, because my win2003 and my laptop were in different workgroups, and I was too lazy to reboot :-)

VPN configuration using certificates

2008-11-30T01:00:00.001+01:00

Here we have very similar topology as previous example. The difference is that we have added card NM-1FE-TX on router B, and we connected virtual windows 2003 server which will play the role of CA server. IP address assigned to the server is 10.10.4.60. We have installed support for SCEP protocol on that server as well. You can download for free (something free from Microsoft? Amazing, isn't it? :-) ) from here: http://download.microsoft.com/download/c/e/e/ceef4ccf-b603-4790-bd9e-f112c3270d2e/cepsetup.exe

Also we have added static routes to the 10.10.4.0/24 network to the routers that needed to reach the CA server. Before to start with configuration, we have to verify that we can reach CA server from all the routers, and that we cannot reach 10.10.3.0/24 network from router A, neither 10.10.2.0/24 network from router D.

After the installation of capsetup.exe file on the CA server, we will get the URL for SCEP enrollment. You need to write it down. In my case is: http://jas-uvjdckpdvov/certsrv/mscep/mscep.dll (What a strange name for a windows server, isn't? :-) At this point all the configuration files are named as: x-confg-u, where x is the router name.

We need to do a bit of preparation before start to configure the peers. We need to make sure that the time and date are the same on the VPN peers as well on the CA server. Probably for this lab the most handy will be to setup CA as ntp server, but I wasn't able to find out how to do that from Windows help :( Also we need to configure domain name, ip host for CA server, and to generate the rsa keys for both peers.

First of all we need to request certificate from a CA. I have experienced some issues during this process, and I'll try to explain them here. After we have configured time and date, domain name, generated rsa keys, and assign an ip host for the CA server, we can continue to the configuration:

A(config)#crypto pki trustpoint jas-uvjdckpdvov
A(ca-trustpoint)#enrollment mode ra
A(ca-trustpoint)#enrollment url http://jas-uvjdckpdvov/certsrv/mscep/mscep.dll

The trustpoint name can be something more reasonable, as long it is defined with correct IP address as ip host. I just wanted to be on the safe side here :-) At this point we have defined the URL for SCEP enrollment.

2nd step is to authenticate to the CA. Here is where I have done the mistake, typing my own password. The syntax is:

A(config)#crypto pki authenticate jas-uvjdckpdvov
Certificate has the following attributes:
       Fingerprint MD5: 396C1E3F 9BDC2D71 641E5077 4E5ADC0D
      Fingerprint SHA1: 2EF2F253 B502F445 0EFC947E 2674FD7F A50A76E1

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

A(config)#crypto pki enroll jas-uvjdckpdvov
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this   password to the CA Administrator in order to revoke your certificate.   For security reasons your password will not be saved in the configuration.   Please make a note of it.

Password: password
Re-enter password: password

% The subject name in the certificate will include: A.darkside.net
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 3B843B84
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate jas-uvjdckpdvov verbose' command will show the fingerprint.

.Oct 16 01:09:58.735: CRYPTO_PKI: Certificate Request Fingerprint MD5: 5B8E4A75 6320D376 18BB0461 87ED9DFF
.Oct 16 01:09:58.743: CRYPTO_PKI: Certificate Request Fingerprint SHA1: C9620276 3EB6CCC5 D8D6D241 1C931DF5 FD946901
.Oct 16 01:10:01.823: %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority

We need to get the password from CA in order our request to be approved. It is stored at: http://localhost/certsrv/mscep/mscep.dll and it is valid for 60 minutes, and it can be used only once, which means you need to refresh that page when you enroll router D :-) After that we should get this wonderful syslog message:

Oct 16 01:17:25.179: %PKI-6-CERTRET: Certificate received from Certificate Authority.

We are almost good to go now. We just need to configure isakmp policy, transform set, crypto map and access list, and to assign the crypto map to the VPN peer interface. Sooo easy :-). I have made another mistake on the access list here. Stupid me... I have created access lists in format: "permit ip any <remote network>", and "permit ip <remote network> any" on both routers. That costs me additional 30 minutes staring at both configurations of the routers, running debug, even raising SDM hoping that it will tell me something more. All that I got were only those very strange lines in the syslog:

Oct 16 01:29:54.055: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.30.6.2
Oct 16 01:29:54.059: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
Oct 16 01:29:54.063: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.30.6.2 remote 172.30.1.2)
Oct 16 01:29:54.067: ISAKMP: set new node 1138201416 to QM_IDLE
Oct 16 01:29:54.075: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1705632040, message ID = 1138201416

You can easy simulate this, by just deleting one line from the access list in the working configuration, and allow ip any any as 2nd line of that access list.

Oct 16 00:02:11.291: map_db_find_best did not find matching map
Oct 16 00:02:11.295: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 172.30.6.2
Oct 16 00:02:11.299: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
Oct 16 00:02:11.303: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.30.6.2 remote 172.30.1.2)

After changing the access-lists in the format: "permit ip <local net> <remote net>", "permit ip <remote net, local net>" finally I got the ping response from the remote network.

Configuration steps for this lab:

1. Set correct time and date, domain name, rsa keys, and assign a ip host for a CA
2. Define the trustpoint, and enrolment mode and url
3. Authenticate on the CA
4. enroll for certificate, with the correct password :-)

You can get the usual files from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-pki.zip

TO BE UPLOADED: vpn-pki.cap, vpn-pki-cap.png

Configuring DMVPN

2008-11-23T16:43:00.001+01:00

I spent some time until I reach the working config of DMVPN. DMVPN solution combine IPSec, mGRE and NHRP to achieve scalability that we need when implementing the solution. If you get stuck with the CLI configuration, I strongly recommend to configure it with SDM, and then erase and go back to configure it with CLI. The working config that I'll upload is with default naming and settings from SDM. Router B is simulating Internet, Router A is the HUB router, and routers C, D and E are the spoke routers. All the spoke routers have defined default gateway on their fa0/0 interfaces (in practice, those interfaces should be dynamically assigned by ISP). The NHRP part of the config is a bit tricky, however configuring it via SDM is straight forward.

CCIE Blueprint version 3 out

2008-10-16T17:44:00.002+02:00

Today Cisco announced version 3 of CCIE Blueprint. You can find it here:

http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html

CCIE Equipment and Software versions for this exam here:

http://www.cisco.com/web/learning/le3/ccie/security/lab_equipment_v3.html

From a first look, the PIX firewall and VPN Concentrators are out of the blueprint, and there is not many other changes:

In Identity Management part there is 2 new topics:

Configure LDAP
Configure certificate-based authentication

More or less the topic are the same as before.

I was in doubt if the PIX will be in the new version of the blueprint and I wasn't sure which exam should I choose: 642-523 or 642-524 as my next exam, but now is clear that I'll choose the ASA one. Also I'm very happy that VPN concentrators are out, as I don't have any experience with them at all.

Technorati Tags: General

VPN configuration with pre-shared key

2008-10-13T17:50:00.000+02:00

In this topology I have 4 routers, 2 of them simulating internet (B and C), 2 of them are VPN peers (A and D). I have static routes defined for simplicity. Before start to configure the VPN we need to verify that we can reach peer IP addresses (172.30.1.2 and 172.30.6.2) from router A and D, but we cannot reach 10.10.2.1 neither 10.10.3.1.

A(config)#do ping 10.10.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.3.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

A(config)#do ping 172.30.6.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.30.6.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/37/92 ms

D(config)#do ping 10.10.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

At this point I'll save the config files and name them: a-confg-u, b-confg-u…

u will means Unconfigured :P

After I have the IP of the interfaces and routing configured, I’ll keep the configuration only with routing configured, so next time I’ll not play to configure interfaces and routes. I will only switch the configuration files in the net file. This way I’m planning to improve my configuring speed when the time for the big lab exam will come. Also there I’ll keep the network diagram, and in the diagram at the bottom, I’ll write few remarks/guides. I’ll upload all the net files, all config files only with routing, the finished config files and my diagrams as well. Hope someone will find them useful in the future. I’m sure that I’ll find them useful after 6-9 months :P

I have decided not to write detailed steps how to configure all the steps. You can find that information everywhere, and I don't see any point to make a copy paste from the console. Those posts are meant to be used 1-2 weeks before the CCSP exams, and 1-2 months before the LAB exam. I think there might be exceptions of the configurations that are long and hard to remember.

Steps required for configuration of site to site VPN with preshared key:

Setup ISAKMP policy (IKE Phase 1) + pre-shared key
Setup IPSec Transform Set (IKE Phase 2)
Define interesting traffic (access-list)
Setup crypto map (type of IPSec ISAKMP/Manual, match ACL, set peer, sa, transform set) (syntax: crypto map MYMAP 156 ipsec-isakmp)
Assign crypto map on interface

_____________________________________________

After the configuration you should try to ping from router A or D with source address from 10 network:

D#ping 10.10.2.10 source fa0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.2.10, timeout is 2 seconds:

Packet sent with a source address of 10.10.3.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/30/48 ms

Useful show commands:

show crypto isakmp sa
show crypto ipsec sa
show crypto map
show crypto session
debug crypto isakmp
debug crypto ipsec

The biggest “trouble” I had here was to remember the syntax of step number 4, therefore I added the syntax into the picture diagram above.

The config files with final configuration will be named: a-confg and d-confg.

Files which will be uploaded:

vpn-pre-shared-key.doc
vpn-pre-shared-key-small.png
vpn-pre-shared-key.net
a-confg-u, b-confg-u, c-confg-u, d-confg-u (conf files with routing configured)
a-confg, d-confg (working VPN config).

UPDATE: I have added a capture and a few wireshark screenshots

There you can see 6 ISAKMP Phase 1 packets, and 3 Quick mode

Phase 2 packets. First 2 ISAKMP packets are policy negotiation.

Second pair ISAKMP packets are DH Exchange.

3rd pair is Identity information's exchange (pre-shared key)

This is the first encrypted packet.

Phase 2 (Quick mode) is done in 3 packets:

1. Requestor sends IPSec SA proposal, with optional info if

Perfect Forwards Secrecy (PFS) will be used.

2. Responder check the proposal and sends back an answer

3. Requestor send an confirmation that SA have been negotiated

After this process the data encryption will start.

Plans for the future post:

To be made analyses with unsuccessful connections.

You can get them from here:

http://sites.google.com/site/cciesecurityattempt/Home/vpn-pre-shared-key.zip

to be uploaded: vpn-pre-shared-key-cap.zip

First post

2008-08-08T13:11:00.000+02:00

I didn't believe in such things like blogs when they first appeared in the web world.
Right now I find them very informative, and I'm reading occasionally 4-5 of them.
Inspired by Tassos (http://ccie-in-3-months.blogspot.com/), I'm creating my first post today, and hope that this place will survive for 15 months. I'm planning to post my configurations (dynagen files, and drawings (I hope) ) of most of the labs that I will perform to obtain Security certificate from Cisco.
Estimated time for LAB exam is somewhere in november 2009 for now. Today I passed SND, and I have 4 exams more before reaching written and lab exam
Let the journey begin!