F5 BIG-IP Plugin with Firefox 52 workaround

It’s not news anymore that Mozilla is stopping support for NPAPI (Netscape Plugin API). With the release of Firefox 52 version, I believe that only Flash plugin is enabled by default.

I’ll skip the discussion about NPAPI plugins and Mozilla’s decision to stop the support, however the reality is that for me it has a strong impact in certain areas. One of this areas is the F5 BIG-IP, specifically the APM and possibility to launch Application (like RDP) from the Webtop interface.

I’m relying heavily on a F5 BIG-IP VE machine to connect to my home lab when I’m remote. The Webtop functionality gives me the possibility to use only a Browser to connect to my applications at home, keeping me away from any F5 client installation on the machine that I use. Usually this machine is my MacBook or PC, and the F5 client installation should not be a big thing, however I like the clientless option.

The F5 Webtop functionality is possible due to a NPAPI plugin called “F5 Network Host Plugin” which usually installs in the browser when you access the F5 APM. So yes, you still need to install something, but this browser plugin is easy to install / remove when compared with a F5 client.

One morning I wake up to find out that my Firefox browser was silently upgraded in the background and instead of being able to launch an Application from the F5 Webtop interface I see this:

Useless to say that the plugin was already installed and everything seemed to be fine. Googling around I could find a lot of information why is not working, but no workaround until I read this article on the F5 DevCentral page.
F5 is aware of the problem, they are working on a solution but so far everything points out to use of the F5 client.

Until Firefox 51 everything was still fine but with the release of Firefox 52 you will get the error showed above. Long story short, for now, there is a workaround which suppose to work fine on Firefox 52 and the upcoming 53 version.

You need to create in Firefox 52 a configuration parameter called “plugin.load_flash_only” and set the value to “False”. Remember that this parameter is not there, so don’t just search for it…create it.

  1. Head to the Firefox URL bar and type about:config.
  2. Accept the responsibility that you’ll not destroy your Firefox installation.
  3. Right click
  4. Chose New > Boolean from the menu
  5. In the newly open window type: plugin.load_flash_only
  6. Set the value to: False

In the end you’ll see something like this:

Remember that I said in the first line that only Flash plugin is still enabled by default? This setting reverse that setting, by saying that not only Flash plugin should be enabled.

Not sure what I’ll do for future. Not to upgrade Firefox 52 (and possible 53) to the next release is not a long term option and from security perspective is a disaster. To keep a parallel installation of Firefox just to reach my trusted URL…doable, but still a bit of a hassle. I hope F5 will come up with a solution.

SSL Certificate signed by own CA

There are a lot of “how-to” on the Internet explaining the setup procedure. This is mainly a copy / paste example for those in a hurry :)

How to setup your own CA

Generate a key for CA

openssl genrsa -aes256 -out myCA.key 4096

Pick a password and remember it!

Generate a SSL certificate for CA

openssl req -new -x509 -days 3650 -key myCA.key -out myCA.crt

How to create a new SSL certificate signed by your own CA

Request a new key for the new domain that you want to secure

openssl genrsa -aes256 -out MyServerName.key 2048

Pick a password and remember it!

Request a CSR and sign it with the previous created key

openssl req -new -key MyServerName.key -out MyServerName.csr

Request the SSL certificate and sign it against the CA

openssl x509 -req -in MyServerName.csr -out MyServerName.crt -sha1 -CA myCA.crt -CAkey myCA.key -CAcreateserial -days 720

(Optional for Linux) Secure the key on the server

chmod 0400 *.key

To have the SSL working you need to copy on the server side
– MyServerName.key
– MyServerName.crt
– myCA.crt (that’s the CA certificate)

How to view a certificate

openssl x509 -in MyServerName.crt -text -noout

How to check whether a private key matches a certificate or that the certificate matches the certificate signing request (CSR)

openssl x509 -noout -modulus -in MyServerName.crt | openssl md5
openssl rsa -noout -modulus -in MyServerName.key | openssl md5
openssl req -noout -modulus -in MyServerName.csr | openssl md5

Does anybody knows a simple script that can offer the above functionality from web interface? I was looking around for a while now, but either they are enterprise complex or do not work. Let me know in Comments if you have a good suggestion.

Thanks!

Mikrotik L2TP with IPsec for mobile clients

I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.

GUI

IP > Pool

Add a new pool

Name: L2TP-Pool
Adresses: 172.31.86.1-172.31.86.14
Next Pool: None

CLI

/ip pool add name="L2TP-Pool" ranges=172.31.86.1-172.31.86.14

L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.

GUI

PPP > Profiles

Name: l2tp-profile
Local Address: L2TP-Pool
Remote Address: L2TP-Pool
DNS Server: 8.8.8.8
Change TCP MSS: yes
Use Encryption: required

The rest of values can be left on default value.

CLI

/ppp profile add name=l2tp-profile local-address=L2TP-Pool remote-address=L2TP-Pool use-encryption=required change-tcp-mss=yes dns-server=8.8.8.8

2. Add a L2TP-Server

GUI

PPP > Interface > L2TP Server

Enabled: Checked
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: mschap2
Use IPsec: Checked
IPsec Secret: MYKEY

CLI

/interface l2tp-server server set authentication=mschap2 default-profile=l2tp-profile enabled=yes ipsec-secret=MYKEY max-mru=1460 max-mtu=1460 use-ipsec=yes

3. Add PPP Secrets

GUI

PPP > Secrets

Enabled: Checked
Name: MYUSER
Password: MYPASSWORD
Service: l2tp
Profile: l2tp-profile

Let the rest as default.

CLI

/ppp secret add name=MYUSER password=MYPASSWORD service=l2tp profile=l2tp-profile

IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals

GUI

IPsec > Proposals

Enabled: Checked
Name: L2TP-Proposal
Auth. Algorithm: sha1
Encr. Algorithm: 3des, aes-256 cbc
PFS Group: none

CLI

/ip ipsec proposal add name=L2TP-Proposal auth-algorithms=sha1 enc-algorithms=3des,aes-256-cbc pfs-group=none

Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers

GUI

IPsec > Peers

Enabled: Checked
Address: 0.0.0.0
Auth. Method: pre shared key
Secret: MYKEY
Policy Template Group: default
Exchange Mode: main l2tp
Send Initial Contact: Checked
NAT Traversal: Checked
My ID: auto
Proposal check: obey
Hash Algorithm: sha1
Encryption Algorithm: 3des, aes-256
DH Group: modp1024
Generate policy: port override

CLI

/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="MYKEY" generate-policy=port-override exchange-mode=main-l2tp
 send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1 enc-algorithm=3des,aes-256 dh-group=modp1024

IMPORTANT

The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies

GUI

Enabled: Checked
Src. Address: ::/0
Dst. Address: ::/0
Protocol: 255(all)
Template: Checked
Group: default
Action: encrypt
Level: require
IPsec Protocols: esp
Tunnel: Not checked
SA Src. Address: 0.0.0.0
SA Dsr. Address: 0.0.0.0
Proposal: L2TP-Proposal

CLI

/ip ipsec policy add src-address=::/0 dst-address=::/0 protocol=all template=yes group=default action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=L2TP-Proposal

Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.

iPhone

Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

iPhone L2TP Configuration

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Add New VPN Connection

2. Pick the option Use my Internet connection

Chose VPN type

3. Add Mikrotik L2TP Server details

Add L2TP Mikrotik details

4. Add the user and password

Add L2TP user

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

L2TP VPN Security

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

L2TP IPsec Key

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

!
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
!
ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

Name: MyProposal
Auth. Algorithm: sha1
Encr. Algorithm: aes-256 cbc
PFS Group: none

CLI

ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3. The IPsec Policy

GUI

IP > IPsec > Policies

SRC ADDR: 192.168.88.0/24
DST ADDR: 192.168.0.0/24
Protocol: all
Action: Encrypt
Level: require
IPsec protocols: esp
Tunnel: check
SA SRC: 10.0.0.2
SA DST: 192.168.23.3
Proposal: MyProposal

CLI

ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal

4. The IPsec Peer

GUI

IP > IPsec > Peers

Address: 192.168.23.3
Port: 500
Auth. Method: pre shared key
Passive: not checked
Secret: MYKEY
Policy Template Group: default
Exchange mode: main
Send Initial Contact: checked
NAT Traversal: checked
My ID: Auto - empty
Proposal Check: obey
Hash Algorithm: sha1
Encryptions Algorithm: aes-256
DH Group: modp1024
Generate policy: no

CLI

ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no

Cisco configuration

1. Crypto ISAKMP Policy

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

crypto isakmp key MYKEY address 10.0.0.2 no-xauth

3. Crypto IPsec transformation set

crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac
 mode tunnel

4. Crypto map

crypto map MYCRYPTOMAP 10 ipsec-isakmp
 description Mikrotik VPN
 set peer 10.0.0.2
 set transform-set MYTRANSFORMSET
 match address ACLTRAFF

5. Access-list for interesting traffic

ip access-list extended ACLTRAFF
 permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255

6. Interface config

int fa1/0
 description Internet facing interface
 crypto map MYCRYPTOMAP

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

How to integrate F5 BIG-IP VE with GNS3

I would like to start by saying Merry Christmas and Happy Holidays season to all. In between spending time with my family, decorating the Christmas three and opening presents, I did find some time to play around with my hobby and testing something in the lab.

Lately I wanted to get a feeling how F5 BIG-IP works, you know, just to get familiar with its interfaces, rules and being capable of setting up a basic LTM or APM. Far from me the idea of becoming an expert on the first touch, but it’s nice to discover new technologies.

Beside getting the F5 BIG-IP VE (Virtual Edition), running up VMware (ESXi, Player, Fusion or Workstation) and starting the virtual machine I also wanted to emulate some kind of real environment to test. So, I did build the below topology in GNS3:

F5 BIG-IP Simple setup

Some explanation:

  • Client WIN7 is a VM in VirtualBox and integrated in GNS3
  • WWW Servers are VMs in VirtualBox and integrated in GNS3
  • WIN2008 AD DC is a VM in VirtualBox and integrated in GNS3
  • Routers are emulated in GNS3
  • F5 BIG-IP VE is a VM in VMware Workstation and integrated as a Cloud in GNS3

GNS3 is version 1.2.1 which works perfect. Why VirtualBox and VMware Workstation? Usually I have no problem to have my VMs in VirtualBox, but I could not successfully import the F5 BIG-IP VE OVA image in VirtualBox. I had to download a trial version of VMware Workstation to install the OVA image.

If you want to know more about this F5 product, Ethan Banks has a great article about the BIG-IP VE. Please note that Ethan’s article is about getting a lab license for BIG-IP VE. I just went for the trial version. You can download the OVA image and get the license here:
https://www.f5.com/trial/secure/big-ip-ltm-virtual-edition.php

Download the BIG-IP VE OVA image, get a trial license (valid for 90 days) and install it in VMware Workstation. It may work with other VMware products, but in this article I’m using only VMware Workstation.

The part that gave me some headache was the how to have a successfully network communication between VMware Workstation and GNS3.

Before GNS3 1.2.1, when I had to use a “cloud” to integrate VirtualBox VMs in GNS3, I was configuring a TAP interface and use Bridge mode for the VM NIC to the TAP interface. Then on the GNS3 Cloud, I was adding the TAP as a Generic Ethernet NIO on the NIO Ethernet. If you want to refresh more deeply the above information please read my article about How to integrate GNS3 with VirtualBox.

Unfortunately, in VMware Workstation, I cannot just bridge a VMnet interface to a TAP and use that specific VMnet in a VM. I just could not make it work.

To cut it short, here are the steps that I had to follow to have this working. I assume that you have VMware Workstation installed already. Another detail is that I’m using Ubuntu 14.04 to test the entire scenario.

1. Add two VMnet interfaces in VMware Workstation Virtual Network Editor

Use the image below to have an idea what I mean.

Virtual Network Editor

2. Configure the BIG-IP VE NIC as follow in VMware Workstation

I assume that you have the BIG-IP VE OVA imported in VMware Workstation

BIG-IP VE NIC

I had 4 NICs originally, but I only need three:

  • VMnet0 is bridge to my real LAN interface so I can manage the F5 BIG-IP VE over Web / CLI interfaces
  • VMnet11 – one “internal” interface facing LAN (server side)
  • VMnet22 – one “external” interface facing WAN (client side)

3. Configure two tap interfaces for F5 BIG-IP VE to be used in GNS3

11 – internal, 22 – external

sudo tunctl -u user -t tap11
sudo tunctl -u user -t tap22

*user = the non-root user which you use on Ubuntu host.

If you are having problems to find tunctl command please do the following:

sudo apt-get install uml-utilities bridge-utils

Bring the interfaces up

sudo ifconfig tap11 up
sudo ifconfig tap22 up

4. Remove the IP addresses on both TAP and VMnet interfaces

sudo ifconfig tap11 0.0.0.0 promisc up
sudo ifconfig tap22 0.0.0.0 promisc up
sudo ifconfig vmnet11 0.0.0.0 promisc up
sudo ifconfig vmnet22 0.0.0.0 promisc up

5. Bridge the TAP and the VMnet interfaces

sudo brctl addbr br11
sudo brctl addif br11 tap11
sudo brctl addif br11 vmnet11
sudo brctl addbr br22
sudo brctl addif br22 tap22
sudo brctl addif br22 vmnet22

Bring the bridge interfaces up

sudo ifconfig br11 up
sudo ifconfig br22 up

5. Add the F5 BIG-IP VE to GNS3

If with GNS3 1.2.1 you can add the VirtualBox VMs directly, for the VMware Workstation (Player, Fusion, etc…) VMs you still need to you the Cloud part.

My GNS3 for F5 topology looks like this:

F5 topology in GNS3

And the GNS3 Cloud (representing the F5 BIG-IP VE) settings are the following:

F5 GNS3 Cloud settings

6. Connect the GNS3 Cloud interfaces to R1 and R2

Like shown in the image above, connect the TAP interface of the Cloud to the peer routers.

I’m running all applications (GNS3, VMware Workstation, VirtualBox) as non-root user. If you’re doing the same an error may occur in GNS3. Something like:

Server error [-3200] from x.x.x.x:8000: R1: unable to create TAP NIO

If this is the case, please run the following command on Ubuntu host:

sudo setcap cap_net_admin,cap_net_raw=ep /usr/local/bin/dynamips

This will help you setup the environment to test F5 BIG-IP VE in a lab environment totally virtualized. I’m not going to cover here how to configure the F5 BIG-IP VE. Maybe in one of my next articles.

If you encounter problems, please let me know in Comments.