IKEv2 IOS between routers

09/12/2015

The following was thrown together within GNS3 to test the functionality of IKEv2 to be used in an IPSEC/GRE deployment in conjunction with two VRF’s over a single link.

It worked with IKEv1 and unfortunatly the actual client requirement was to use IKEv2.

The GNS3 deployment was setup with R1, R2 operating as the endpoints and R3 is providing an interconnect with a minor ACL only allowing IPSEC in/out of both interfaces.

R1:

!
! Last configuration change at 21:21:32 UTC Wed Dec 9 2015
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 24
!
!
crypto ikev2 keyring IKEV2-KEYRING
 peer IKEV2-PEER
 address 192.168.100.1
 identity address 192.168.200.1
 pre-shared-key IKEV2-PASSWORD
 !
!
!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 192.168.100.1 255.255.255.255 
 identity local address 192.168.200.1
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2-KEYRING
!
!
!
ip tcp synwait-time 5
! 
!
!
crypto ipsec transform-set IKEV2-TRANSFORM esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
crypto ipsec profile IKEV2-IPSEC-PROFILE
 set security-association lifetime 3600 seconds
 set security-association replay window-size 1024 
 set transform-set IKEV2-TRANSFORM 
 set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
!
interface Tunnel1
 ip address 10.10.10.1 255.255.255.0
 tunnel source 192.168.200.1
 tunnel destination 192.168.100.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IKEV2-IPSEC-PROFILE
!
interface FastEthernet0/0
 ip address 192.168.200.1 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
 router-id 10.10.10.1
 redistribute static subnets
 network 10.10.10.1 0.0.0.0 area 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.200.2
ip route 100.100.100.0 255.255.255.0 Null0
ip route 200.200.200.0 255.255.255.0 Null0
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R2:


!
! Last configuration change at 21:24:36 UTC Wed Dec 9 2015
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 24
!
!
crypto ikev2 keyring IKEV2-KEYRING
 peer IKEV2-PEER
 address 192.168.200.1
 identity address 192.168.100.1
 pre-shared-key IKEV2-PASSWORD
 !
!
!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 192.168.200.1 255.255.255.255 
 identity local address 192.168.100.1
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEV2-KEYRING
!
!
!
ip tcp synwait-time 5
! 
!
!
crypto ipsec transform-set IKEV2-TRANSFORM esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
crypto ipsec profile IKEV2-IPSEC-PROFILE
 set security-association lifetime 3600 seconds
 set security-association replay window-size 1024 
 set transform-set IKEV2-TRANSFORM 
 set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
!
interface Tunnel1
 ip address 10.10.10.2 255.255.255.0
 tunnel source 192.168.100.1
 tunnel destination 192.168.200.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IKEV2-IPSEC-PROFILE
!
interface FastEthernet0/0
 ip address 192.168.100.1 255.255.255.0
 duplex full
!
interface FastEthernet1/0
 no ip address
 shutdown
 speed auto
 duplex auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
 router-id 10.10.10.2
 network 10.10.10.2 0.0.0.0 area 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.100.2
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R3: INTERLINK ONLY

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
! 
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.200.2 255.255.255.0
 ip access-group 101 in
 ip access-group 101 out
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.100.2 255.255.255.0
 ip access-group 101 in
 ip access-group 101 out
 duplex auto
 speed auto
!
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end


Cisco Router and Avaya Phone VPN example

02/04/2013

!
!
!
ip local pool IPADDR_VPN_POOL x.x.x.x x.x.x.x
!
aaa new-model
!
aaa authentication login LETMEIN_GROUPx local
aaa authentication login userauthen local
aaa authorization network LETMEIN_GROUPx local
!
username AVAYAx1 password 0 xxxx1
username AVAYAx2 password 0 xxxx2
username AVAYAx3 password 0 xxxx3
username AVAYAx4 password 0 xxxx4
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group LETMEIN_GROUPx
key $x$x$
pool IPADDR_VPN_POOL
pfs
!
crypto ipsec transform-set MYTSET_3DESx esp-3des esp-md5-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap2 20
set transform-set MYTSET
set pfs group2
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
!
!
interface XXX/XXX
ip address X.X.X.X X.X.X.X
!
crypto map clientmap

crypto map clientmap 20 ipsec-isakmp dynamic dynmap2
!


Mandatory, Supported, Disabled

31/03/2013

The black and white from Cisco defines that the use of Data Rates options to specify the rates at which data can be transmitted between the access point and the client.

The data rates are available:

• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps

• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps

For each data rate, choose one of these options:

Mandatory—Clients must support this data rate in order to associate to an access point on the controller. Why force 11Mbps on an SSID, if not only to enforce better performance.

Supported—Any associated clients that support this data rate may communicate with the access point using that rate. However, the clients are not required to be able to use this rate in order to associate.

Disabled—The clients specify the data rates used for communication.

The notes say the clients must support and not operate at this rate and the supported option identifies a not required. I think I will attempt to test the overall enforcement and remove any ambiguity. I know this is one that I’ve always assumed what the options mean…

More to follow


Wireless Aerial Coverage

31/03/2013

The following link was one I found when investigating the use of 1131AG access points. The positioning on a ceiling is certainly better qualified after reviewing this document.

http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html


Securing RANCID CVSWEB

24/02/2013

Update the 000-default file with the following details below to add basic authentication.

<VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www

<Directory />

Options FollowSymLinks

AllowOverride None

order deny,allow

</Directory>

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride none

order allow,deny

allow from all

</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

        <Directory “/usr/lib/cgi-bin”>

                AuthType Basic

                AuthName “CVS REPO”

                AuthUserFile /etc/apache2/.htpasswd

                AllowOverride All

                Require valid-user

</Directory>

The command below will allow you to create a new user and it will lead you through adding a password for that user.

network@S-ABD-RANCID:$ sudo htpasswd -c .htpasswd myuser


Cisco ASA, IPSEC bypass options (bozo)

24/02/2013

To permit ANY packets that come from an IPsec tunnel without checking any ACLs such as the OUTIDE_ACCESS_IN The following example enables IPsec traffic through the ASA without checking ACLs:

hostname(config)# sysopt connection permit-vpn


VTP (never use it) you need to know it

24/02/2013

VLAN TRUNKING PROTOCOL is designed to ease administration  of a large number of switches. It manages addistions, deletions and renaming. You can only apply one VTP domain to a switch.

There are 3 versions of VTP and only two of those are actively used (V3 is CAT/OS). VTP is a method of synchronising the vlan databases of switches. The term domain is used to identify a cluster/group of switches. If the databases are to be shared then the domain name and any passwords set must match (not totally true, read below for more details).

VTP advertisements are based upon the revision number and are sent when a change is made or every 5 minutes. The advertisments are multicast frames.

A summary advertisment is sent out every 300 seconds and if a change occurs.

A subset advertisment after a configuration change. VLAN name, SAID value, type and MTU.

A request from client switch used to obtain up to date information.

Each change made to a vlan will increase the revision number. A switch will compare revision numbers when it receives an advertisement. A switch will overwrite its VTP database if the update from one of it’s peers is higher (potentially making an automatic change to the assigned vlan’s). The advertisement is forwarded onto any neighbours. If the switch receives a VTP advertisement with a lower revision it will reply with it’s advertisement to update it’s neighbour.

The roles are:

SERVER: This is the default and will allow the switch to create, delete and rename vlan’s.

CLIENT: Apparently clients cannot make changes. However, I have seen events where client switches have been able to pass on updates to server peers.

TRANSPARENT: Allows the creation, deletion and renaming vlan’s but all information remains local. This mode will forward VTP information to its peers.

The use of show vtp status identifies the version in use, the revision number and the number of vlans that are being passed around via VTP.