IPsec VPN Mikrotik to Cisco

Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

!
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
!
ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

Name: MyProposal
Auth. Algorithm: sha1
Encr. Algorithm: aes-256 cbc
PFS Group: none

CLI

ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none

3. The IPsec Policy

GUI

IP > IPsec > Policies

SRC ADDR: 192.168.88.0/24
DST ADDR: 192.168.0.0/24
Protocol: all
Action: Encrypt
Level: require
IPsec protocols: esp
Tunnel: check
SA SRC: 10.0.0.2
SA DST: 192.168.23.3
Proposal: MyProposal

CLI

ip ipsec policy add src-address=192.168.88.0/24 dst-address=192.168.0.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=10.0.0.2 sa-dst-address=192.168.23.3 proposal=MyProposal

4. The IPsec Peer

GUI

IP > IPsec > Peers

Address: 192.168.23.3
Port: 500
Auth. Method: pre shared key
Passive: not checked
Secret: MYKEY
Policy Template Group: default
Exchange mode: main
Send Initial Contact: checked
NAT Traversal: checked
My ID: Auto - empty
Proposal Check: obey
Hash Algorithm: sha1
Encryptions Algorithm: aes-256
DH Group: modp1024
Generate policy: no

CLI

ip ipsec peer add address=192.168.23.3 port=500 auth-method=pre-shared-key secret=MY_KEY exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 generate-policy=no

Cisco configuration

1. Crypto ISAKMP Policy

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

crypto isakmp key MYKEY address 10.0.0.2 no-xauth

3. Crypto IPsec transformation set

crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac
 mode tunnel

4. Crypto map

crypto map MYCRYPTOMAP 10 ipsec-isakmp
 description Mikrotik VPN
 set peer 10.0.0.2
 set transform-set MYTRANSFORMSET
 match address ACLTRAFF

5. Access-list for interesting traffic

ip access-list extended ACLTRAFF
 permit ip 192.168.0.0 0.0.0.255 192.168.88.0 0.0.0.255

6. Interface config

int fa1/0
 description Internet facing interface
 crypto map MYCRYPTOMAP

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

Cisco Menu for Console Server

Let’s say that you have a Cisco router that you use as console server to connect to your devices in the CCIE testing rack. If you want to allow other people to access your rack for training and don’t want to mess explaining how to connect to different device from the console router, then you need a menu for easy access.

We will define a menu on your console server. We’ll start by going to configure terminal mode and hit the command menu ?:

Console-Server(config)#menu ?
  WORD  Name of this menu

Looks like we need to define a name for your menu, so I’ll name it “CS” menu and hit another ? mark:

Console-Server(config)#menu CS ?
  clear-screen  Use termcap database to clear screen
  command       Set menu command
  default       Item number to use for RETURN
  line-mode     require <enter> after typing selection
  options       Set per-item options
  prompt        Set prompt string
  single-space  single-space menu entries on display
  status-line   Display user status at top of screen
  text          Set text of menu line
  title         Set menu title

This command will output your options for the menu configuration. I will start by cleaning the screen after entering the menu CS:

Console-Server(config)#menu CS clear-screen

Next, I want to know where people are connecting and what’s the purpose of this console server, so I will add a title to my menu:

Console-Server(config)#menu CS title ^
Enter TEXT message.  End with the character '^'.
Welcome to FirstDigest.com CCIE Rack
^

We have now a menu with a title, but let’s tell users how to use this menu:

Console-Server(config)#menu CS prompt ^
Enter TEXT message.  End with the character '^'.
Choose and option and press Enter:
^

To really need your user to press Enter, you need to specify this option in your menu:

Console-Server(config)#menu CS line-mode

If you don’t add the above option, the picked options from menu it’s automatically run without waiting for the key Enter.
We have the menu defined and the necessary information in place. Let’s add some functionality to this menu.
First I want to give user the option to see the IP address where he’s connected:

Console-Server(config)#menu CS command 1 sh ip int brief | e una
Console-Server(config)#menu CS text 1 Check the Console Server IP Address  
Console-Server(config)#menu CS option 1 pause

What I did above? Well, I added the necessary command to check the IP Address. This command can be modified to meet your requirements. For me this is enough since I have only one interface with IP address. This command is invisible to the connected user. I mean if you press the key 1 and then Enter, you get the output. Still, we don’t want our users to guess what they have to do, so we’ll add some text.

The visibile choice for your user is added with the “text” option and my phrase is “Check the Console Sever IP Address”. Of course this can be customized as you need.

Last option is the “pause” option. If you don’t add the “pause” then your user will see no output,as the command will be run in the background and will return to prompt.

You have to notice that the item 1 (in my case) is the parameter that bound together all options for this specific part of the menu. It will be display of course for key 1 on your keyboard.

Next, we’ll give the user the option to disconnect from the console server:

Console-Server(config)#menu CS command 2 exit
Console-Server(config)#menu CS text 2 Disconnect from Console Server

Let’s add some connections to our Cisco devices in the rack. I will add only a couple of connection, as an example. You can extended and customize this commands as you want:

Console-Server(config)#menu CS command 3 telnet 10.1.1.1 2001
Console-Server(config)#menu CS text 3 Connect to R1
Console-Server(config)#menu CS command 4 telnet 10.1.1.1 2002
Console-Server(config)#menu CS text 4 Connect to R2          
Console-Server(config)#menu CS command 5 telnet 10.1.1.1 2003
Console-Server(config)#menu CS text 5 Connect to R3
.
.
.
.

We have the menu configured now. To check what we did configure, I usually do:

Console-Server#sh run | i menu

The menu section is completed, but we need to add this menu to a user and force this user to use our menu. I will create a user which will run the menu CS as soon as he or she is connected to the console router. My user has a privilege 15 level. If you are concerned with security, you can set another privilege level, but be sure to configure that level to support the commands that you have in your menu. Also I will configure another user, for my usage, or in case that something goes wrong to be able to connect remotely and fix the issue. This “Admin” user will not run automatically the menu we just create.

Console-Server(config)#username Tester privilege 15 password tester2012
Console-Server(config)#username Tester autocommand menu CS
Console-Server(config)#username Admin password cisco2012
! I will enable also telnet to test from remote host
Console-Server(config)#line vty 0 4
Console-Server(config-line)#login local

I will simulate a remote connection to check if everything is working fine:

R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
 
 
User Access Verification
 
Username: Tester
Password: 
 
Welcome to FirstDigest.com CCIE Rack
 
 
    1          Check the Console Server IP Address
 
    2          Disconnect from Console Server
 
    3          Connect to R1
 
    4          Connect to R2
 
    5          Connect to R3
 
 
Choose and option and press Enter:

The menu is there. I will try some options to see if it’s working properly:

Choose and option and press Enter:
1
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Choose and option and press Enter:
2
 
[Connection to 10.1.1.1 closed by foreign host]

I recommend that you verify the menu functionality before you go “live”. You can check the menu directly on the Console Server:

Console-Server#menu CS

I hope this short tutorial will help you. If you have questions or something is not clear from my explanation please use the comments and I will try to help you.


Cisco NX-OS Malformed IP Packet Denial of Service Vulnerability

Summary

Cisco NX-OS Software is affected by a denial of service (DoS) vulnerability that could cause Cisco Nexus 1000v, 5000, and 7000 Series Switches that are running affected versions of Cisco NX-OS Software to reload when the IP stack processes a malformed IP packet.

Vulnerable Products

Cisco Nexus 1000v, 5000, and 7000 Series Switches that are running affected versions of Cisco NX-OS Software are affected by this vulnerability. The vulnerability is in the operating system’s IP stack; therefore, any feature that makes use of the services that are offered by the IP stack to process IP packets is affected.

Cisco NX-OS Software versions prior to the First Fixed Release version are affected. Refer to the Software Versions and Fixes section for details regarding fixed versions.

To determine the version of Cisco NX-OS Software that is running on a Cisco Nexus switch, administrators can log in to the device and issue the show version command to display the system banner.

Products Confirmed Not Vulnerable

Cisco NX-OS Software for products other than the Cisco Nexus 1000v, 5000, and 7000 Series Switches is not affected by this vulnerability. In particular, the following products that run Cisco NX-OS Software are not affected:

Cisco Nexus 2000 Series Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 4000 Series Switches
Unified Computing System (UCS)
Cisco MDS 9000 Series Multilayer Switches

No other Cisco products are currently known to be affected by this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

[adsense_id=”1″]

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

[adsense_id=”1″]

ACS 5.1 integration with Active Directory [Part II]

In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.

Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below.  You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image  worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.

Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.

ACS Installation Start

ACS 5.x will start the installation

ACS Package installation

If everything goes well, you should see a screen asking to type the keyword “setup”

ACS Setup

Next, ACS 5.x will ask for some mandatory information:

ACS Settings

Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:

ACS Login

Default username: acsadmin and password: default. The system will require to change the default password:

ACS Change password

Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.

ACS License

If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x  on VirtualBox.

He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.

Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.

OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.

I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.

On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:

ACS Active Directory

Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.

Let’s add ACS 5.x to the AD:

ACS AD setup

Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed  and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!

It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.

Next part will be about using the AD Groups and Users together with ACS 5.x.

[adsense_id=”3″]