Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Saturday, October 21, 2017

Install Mac OSX AnyConnect Package on Cisco Router

Symptoms: 
One of my clients reported a Cisco AnyConnect issue. It only happened to his machine and later we found that is because he is using Mac machine. His credential works fine if he uses it at windows machine.

From following screenshot, obviously there is Mac AnyConnect package missing from vpn gateway.


Error Messages:
"VPN
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again."


Monday, September 11, 2017

Cisco Router IKEv2 IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Tuesday, September 5, 2017

Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:

Diagram

1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor




Wednesday, February 22, 2017

Renew Cisco IOS IPSec VPN Certificates from Symantec

I am not sure if there is other better way to do it. There is no good documentation from Cisco or somewhere else regarding how you should do on renewing your ssl certificates once it is expired. Every a couple of years, I have to face this problem,  renewing all routers ssl certificates. As far as I know, you can not renew current existing certificates, you will have to created a new trustpoint , generate new CSR and import a renewed certificate. Actually you can use same trustpoint configuration configured before as long as you are using different trustpoint name.

I recorded those steps again which I did a couple of years ago in following posts:

Thursday, August 4, 2016

Cisco Configuration Professional (CCP) Configure IOS SSL VPN (AnyConnect SSL VPN)

Basic Cisco Configuration Professional (CCP) configuration has been posted before at following link:
This Post will demonstrate how to use CCP to configure SSL VPN on an IOS Router.

1. Confirm SSL-VPN License Installed

You can review another post regarding how to add Cisco license into a router.

Wednesday, April 27, 2016

Monday, February 22, 2016

Cisco ASA Remote Access VPN Configuration 2 - AnyConnect VPN

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:
  • Configure the basic ASA SSL VPN gateway features.
  • Configure local user authentication.
  • Configure IPv4/IPv6 address assignment.
  • Configure basic access control.
  • Install the Cisco AnyConnect Secure Mobility Client.
Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).

Related posts in this blog:
1. Topology

In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.


DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.

Friday, February 19, 2016

Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN

Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet. Unlike other common VPN client solutions, the Clientless SSL VPN does not require that a client download and install a VPN client, all communications to the central location (where the ASA is located) are done via Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS).


This post describes how to build a remote access VPN connection using Clientless SSL VPN feature.
Related posts in this blog:

1. Topology



Monday, January 11, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (1) - High Availability IPSec

IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. It provides these security services at the IP layer; it uses Internetwork Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPsec. You can use IPsec to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later.

This post summarizes typical Cisco IOS IPSec VPN IKEv1 set up. It includes standalone or High Availability implementation. The next post will includes how to use different CA to authenticate IKE.  It focus on IKEv1 (Internet Key Exchange version 1). Later IKEv2 will be summarized in this blog.

Typical Topology:
R1: G0/0 - 19.26.116.141 (It is VIP in high availability deployment)
R2: G0/0 - 19.26.116.137

R1: G0/1 - Internal Interface for network 192.168.20.x/24
R2: G0/1 - Internal Interface for network 172.21.91.x/24

Saturday, January 9, 2016

Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment

Digital certificates as an authentication method for IPSec VPNs is becoming increasingly popular for both remote access and site-to-site deployments. The use of digital certificates requires some form of PKI infrastructure such as a CA server. In this post, Symantec public CA will be used as an example to authenticate certificates used between two IPSec VPN gateways. There are some other posts in this blog relating to this topics, please check them using following list:

This post is mainly used to document the steps how to built a Third Party Based Certificates IPSec VPN, including how to submit gateway's CSR to Symantec and get your certs signed by Symantec CA and how to install those signed certs on your gateways. The first 8 steps are same for both for standalone deployment and high availability implementation. Only difference will be at step 9 for only used in high availability configuration.

Wednesday, January 6, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) - Using Two Different CA Certificates

Pre-shared keys and digital certificates are two primary authentication methods in IKE that can be used in the context of IPSec VPN deployments.

Digital certificates provide a means to digitally authenticate devices and individual users. An individual that wishes to send encrypted data obtains a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available. The recipient of the encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA, and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply. Public key infrastructure (PKI) is the enabler for managing digital certificates for IPSec VPN deployment. The most widely used format for digital certificates is X.509, which is supported by Cisco IOS.

Saturday, August 15, 2015

Policy Based IPSec VPN Configuration Between SRX Firewalls

Juniper SRX support both Route-based and Policy-based VPN, which can be used in different scenarios based on your environments and requirements. 


Difference between them (KB15745)

With policy-based VPN tunnels, a tunnel is treated as an object that together with source, destination, application, and action, comprises a tunnel policy that permits VPN traffic. In a policy-based VPN configuration, a tunnel policy specifically references a VPN tunnel by name.

With route-based VPNs, a policy does not specifically reference a VPN tunnel. Instead, the policy references a destination address. When the security device does a route lookup to find the interface through which it must send traffic to reach that address, it finds a route via a secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

Thus, with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of a policy. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and the policy as a method for either permitting or denying the delivery of that traffic.

Friday, January 16, 2015

Using PKI Build Route-Based IPSec VPN between Juniper SRX

There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}root@fw-1> request security pki generate-key-pair certificate-id PRO size 2048   
node0:
--------------------------------------------------------------------------
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair

{primary:node0}root@fw-1> request security pki generate-certificate-request certificate-id PRO subject "CN=Admin,CN=m.test.com,OU=IT,O=test,L=M,ST=ON,C=CA" email admin@test.com filename ms-cert-req 
node0:
--------------------------------------------------------------------------Generated certificate request
----- BEGIN CERTIFICATE REQUEST-----MIIC7TCCAdUCAQAwdjERMA8GA1UEAxMISm9obiBZYWxGjAYBgNVBAMTEW1hcmtYW0uZ2ktZGUuY29tMQswCQYDVQQLEwJJVDEMMAoGA1UEChMDRyZEwDgYDVQQEwdNYXJraGFtMQswCQYDVQQIEwJPTjELMAkGA1UEBhMC0EwggEiMA0GCSqGSIbDQEBAQUAA4IBDwAwggEKAoIBAQDEoahBD7RjFBZacquplzFudJ3k+jf1EBcCxxkdDWJVeZEDzFMN6kQbMPKFBvSHhSZU/o+AnkqOzQgTh9Uy/ttdc3r23ZWFu1t/9B79kvoRdxCt43iYHNtTyKk4xN1/Nd2XJ1qV6iXB0OAYAQWnKYsNAz5rY9SRnH5/VU90WRvu5s/wXu+9GEoysI1sjm91Qq1FM5HDtH9ROxDzbtEb8hJ2SmfY/VPctlSI/Ql3ZRyxCexOG2Q93hvhMRKbCNLxj1muSHbnveQI3gM+4nT9PmslUEB3dx5389LH5viCio01039LEWjfydd4HsAdsgD5ZXtihn49BPZNfCIYyDAgMBAAGgMjAwBgkhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0CSqGSIb3DQEBBQUAA4IBAQAoRv0I1C5kklU2sRDGB4XCVnnJ/T34+Yn4ekIcGHADuB5kKbr+qc1xTVyelX09EqmGtCrREYSv/meseuco0+jMw9b9EogCfE7eZAw2EWltzA+NTjwcOexvTFYWhjD3YWPXwM/F/rKnS9vtCaaNJB+rpzjyjbJNRSPvFkYgRUsy3xnIJ7K76Jp03r5rD27KW2kaCCD2wXkr6vK97Nf+dgyM8sLBLy1FdUfeO2H5JnhxbodUD6FFGz50s8rqy2a4aUOCD1zCgOiMw/mjq3caFbS+WB2sb+09Kia19y9y2fOzG++v2Kud5luXYKMPuf4qEGSb6k1npNd8qadQf+
-----END CERTIFICATE REQUEST----- 
Fingerprint:c7:dd:83:11:d1:8a:54:6c:5c:1e:7e:cd:79:73:c0:71:b0:ba:a5:fc (sha1)f6:10:e3:1f:c0:07:3e:dc:5c:e5:8e:b5:51:2b:9a:1e (md5)

3. Submit Cert Request to the CA and Retrieve Certs





Monday, December 15, 2014

Certificate Import Failed with "% Failed to parse or verify imported certificate" because of Verisign Using new Intermediate CA Certs G4

Symptoms:

Worked on IPSec VPN Certificate for whole morning to try to import a certificate, finally gave up to ask support from Verisign. I did this many times and had detailed documentation recorded for steps. But this time, situation is different. 

My previous post clearly shows all steps I have to follow:
Unfortunately, this time the process stuck at the step 6 with error "% Failed to parse or verify imported certificate"

m-dmz(config)#crypto pki import VerisignCA1 certificate 

Friday, December 12, 2014

Certification based Cisco IPSec VPN Down Caused by 'signature invalid'

Symptom:

Recently, I were troubleshooting a IPSec VPN using Certificate issue. One IPSec VPN router got rebooted then IPSec tunnel was not able to be re-build. It tested fine with pre-share key. But when change back to certificate, ISAKMP authentication failure with 'signature invalid' error.

Saturday, August 2, 2014

NetSec Youtube Videos