May 18, 2012

Posts Comments

You are here: Home / Archives for VPN

Configuring Site-to-Site IPsec for IPv6 using Static VTI

January 21, 2011 By Leave a Comment

It’s noticeable that there have been a number of IPv6 posts lately. Just look at Packetlife.net, Etherealmind.com, and IOS hints. IPv6 training has picked up significantly in addition to the internet chatter. So this little tutorial post comes directly out of a discussion during my IP6FD class in San Diego this week. The Question is this: How do I configure a Site-to-Site IPsec VPN on Cisco IOS with IPv6? Here’s how it’s done using static Virtual Tunnel Interfaces (VTIs). As usual, we begin with a Topology. In the topology I used routers as Host1 and Host2. All I need them to do is generate traffic to be encrypted by R1 and R2. R1 and R2 are connected via Fast Ethernet, but you an substitute your favorite WAN technology or Internet Connectivity. There is NO IPv4 in this network.

ipv6-encryption-topology-main.jpg

I begin on R1 assuming that IPv6 is already enabled and that you can ping directly across all links. Start by creating an ISAKMP policy.

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash sha 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#encryption aes 192
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
[Read more...]

Filed Under: IPv6, Security Tagged With: , ,

Configuring SSL VPN with Full Tunnel Access on Cisco ASA 8.2 Part 1

September 10, 2010 By 1 Comment

This is a short excerpt from a lesson I taught on SSL VPNs usin ASA 8.2 and the Any Connect Client.  This is Part 1.  Watch for Part 2 in the next day or so.

Happy Labbing!

Filed Under: Cisco ASA, Firewalls, Security, Studies In VPN Tagged With: , ,

Studies in VPN: Part 3

October 24, 2008 By Leave a Comment

IOS Lan-to-Lan with PSK through an ASA. ***The Catch: Nat configured and Dynamic Crypto Maps configured.

Picture 8 Uploaded with plasq‘s Skitch!

I ran into an Intersting situation: 

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
    Peer = 136.5.122.2
    Extended IP access list r1tor2
        access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
    Current peer: 136.5.122.2
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
        3des-esp,
    }
    Interfaces using crypto map vpn:
        FastEthernet0/0
Pings fail: 
r1#ping 150.2.2.2 source l0



Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)
But it looks like its working based on the stats: 
local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0



 local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
 path mtu 1500, media mtu 1500
 current outbound spi: 674293ED

 inbound esp sas:
  spi: 0xBD012AAD(3170970285)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
    sa timing: remaining key lifetime (k/sec): (4590553/3219)
    IV size: 8 bytes
    replay detection support: Y

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:
  spi: 0x674293ED(1732416493)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
    sa timing: remaining key lifetime (k/sec): (4590551/3219)
    IV size: 8 bytes
    replay detection support: Y

 outbound ah sas:

 outbound pcp sas:




r1#
A little tweaking on the ASA, clear the ASA and try again: 
r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)



r1#ping 150.2.2.2 source l0



Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)



r1#
So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

Filed Under: CCIE Security, IE Labs, Studies In VPN Tagged With: , ,
« Older Posts
Newer Posts »