VPN3k CLI only

Posted December 18th, 2008 by bcarroll and filed in CCIE Security, IE Labs, Studies In VPN
Tags:
Add a Comment

It is possible to configure a L2L session on a VPN3k using CLI only.  It is a completley different configuration.  Here is the summation of it:

  1. Create an SA
  2. Create inbound and Outbound rules for the hosts to be encrypted.
  3. Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
  4. Create a group with the preshared key.
  5. Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.
Picture 1
Uploaded with plasq‘s Skitch!

Studies in VPN: Part 3

Posted October 24th, 2008 by bcarroll and filed in CCIE Security, IE Labs, Studies In VPN
Tags: , ,
Add a Comment

IOS Lan-to-Lan with PSK through an ASA.
***The Catch: Nat configured and Dynamic Crypto Maps configured.

Picture 8
Uploaded with plasq‘s Skitch!


I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
	Peer = 136.5.122.2
	Extended IP access list r1tor2
	    access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
	Current peer: 136.5.122.2
	Security association lifetime: 4608000 kilobytes/3600 seconds
	PFS (Y/N): N
	Transform sets={
		3des-esp,
	}
	Interfaces using crypto map vpn:
		FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
     path mtu 1500, media mtu 1500
     current outbound spi: 674293ED

     inbound esp sas:
      spi: 0xBD012AAD(3170970285)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590553/3219)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x674293ED(1732416493)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590551/3219)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

Studies in VPN: Part 2

Posted October 22nd, 2008 by bcarroll and filed in CCIE Security, IE Labs, Studies In VPN
Add a Comment

IOS to IOS with PSK thru an ASA without NAT

The topology:

Picture 8
Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:
Continue Reading »

Studies in VPN: Part 1

Posted October 22nd, 2008 by bcarroll and filed in CCIE Security, IPExpert Labs, Studies In VPN
Add a Comment

DISCLAIMER***

The first note I want to make as regards to the VPN topics that I will be blogging is that these are actually my personal notes from Internetwork Experts Volume 1 and 2 Lab Guide and the IPexpert Security Lab Workbook. There are a few topologies that I will be exploring, and I dont plan on taking you through each step of the Lab guide, rather I will be making notes on the tangents I take. If you want to do their labs dont rely on these posts, go buy their workbooks. Its worth every penny.

Site-to-Site between routers with a PIX in the middle

The First VPN configuration is based on one of the IPexpert Security Workbook Labs. It requires that I configure a VPN between two routers, with the VPN traffic passing through a PIX.

The first step was to load the default configs. There were no default for the switches so I had to create them on the fly. You can find the initial configurations here:

Switch1
Switch2
R1
R2
R4
R5
PIX

The next step was to statically map R5 and make sure that IPSec traffic could pass thru the PIX:
Continue Reading »