Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Friday, February 15, 2019

Install Mac OSX AnyConnect Package on Cisco Router and on Mac Machine

One of my clients reported a Cisco AnyConnect issue. It only happened to his machine and later we found that is because he is using Mac machine. His credential works fine if he uses it at windows machine.

From following screenshot, obviously there is Mac AnyConnect package missing from vpn gateway.

Error Messages:
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

Tuesday, December 18, 2018

Expose your local service to public: Ngrok, FRP, localtunnel

For many IT workers remotely involved with networking, it is quite common to need to expose your Intranet application to the outside world in a secured manner. Unfortunately, we work most of the time from private IP networks, be that at the workplace, at home or at the coffee shop. The router(s) or firewall (s) that stands between our workstation and the internet makes it harder to expose a local socket to the outside. Most of the time, this is preferable for security.

A couple of solutions you can choose now:
1. Change your router / firewall configuration to do port forwarding or NAT from public to your application. But in many cases, you wont be able to make that changes or you even do not have that options.
2. Tunneling services : either self hosting or cloud services such as:
  • Ngrok
  • FRP 
  • Localtunnel
This post is going to explore some of tunneling services I am using.


Setup & Installation
1. Download ngrok
ngrok is easy to install. Download a single binary with zero run-time dependencies. There are following versions available to download : WinodwsMac OS X Linux Mac (32-bit) Windows (32-bit)Linux (ARM) Linux (32-bit) FreeBSD (64-Bit)FreeBSD (32-bit)

Wednesday, June 20, 2018

CISCO ASA Firewall and VPN Tips and Tricks

This post is to collect some useful commands used in my ASA configuration. Not a step by step guide and not for specific configuration, mostly they are for troubleshooting purpose. I found them are usful, hopefully you too. 

1. Clear VPN Configuration: 

clear configure crypto map VPN_AAAA

2. Debug and show commands:

Enable logging:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer
ciscoasa(config)# debug crypto ipsec 127

Monday, September 11, 2017

Cisco Router IKE v2 Site to Site IPSec VPN Configuration

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1
  • IKEv1 SA negotiation consists of two phases.
  • IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
  • IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
− IKEv2
  • Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

Tuesday, September 5, 2017

Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:


1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor

Wednesday, February 22, 2017

Renew Cisco IOS IPSec VPN Certificates from Symantec

I am not sure if there is other better way to do it. There is no good documentation from Cisco or somewhere else regarding how you should do on renewing your ssl certificates once it is expired. Every a couple of years, I have to face this problem,  renewing all routers ssl certificates. As far as I know, you can not renew current existing certificates, you will have to created a new trustpoint , generate new CSR and import a renewed certificate. Actually you can use same trustpoint configuration configured before as long as you are using different trustpoint name.

I recorded those steps again which I did a couple of years ago in following posts:

Thursday, August 4, 2016

Cisco Configuration Professional (CCP) Configure IOS SSL VPN (AnyConnect SSL VPN)

Basic Cisco Configuration Professional (CCP) configuration has been posted before at following link:
This Post will demonstrate how to use CCP to configure SSL VPN on an IOS Router.

1. Confirm SSL-VPN License Installed

You can review another post regarding how to add Cisco license into a router.

Wednesday, April 27, 2016

Monday, February 22, 2016

Cisco ASA Remote Access VPN Configuration 2 - AnyConnect VPN

Basic Cisco AnyConnect full-tunnel SSL VPN uses user authentication by username and password, provides IP address assignment to the client, and uses a basic access control policy. The client also authenticates the ASA with identity certificate-based authentication. Deployment tasks in this post are as follows:
  • Configure the basic ASA SSL VPN gateway features.
  • Configure local user authentication.
  • Configure IPv4/IPv6 address assignment.
  • Configure basic access control.
  • Install the Cisco AnyConnect Secure Mobility Client.
Initially, AnyConnect was an SSL-only VPN client. Starting with Version 3.0, AnyConnect became a modular client with additional features (including IPsec IKEv2 VPN terminations on Cisco ASA), but it requires a minimum of ASA 8.4(1) and ASDM 6.4(1).

Related posts in this blog:
1. Topology

In this post, Cisco Adaptive Security Appliance Software Version 9.1(2) and Device Manager Version 7.1(3) have been used as an example.

DMZ (Security Level 50) interface will be used to simulate external connection to Internet.
INTERNAL (Security Level 100) interface is connecting to local network.

Friday, February 19, 2016

Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN

Remote access VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet. Unlike other common VPN client solutions, the Clientless SSL VPN does not require that a client download and install a VPN client, all communications to the central location (where the ASA is located) are done via Secure Socket Layer (SSL) or its successor, Transport Layer Security (TLS).

This post describes how to build a remote access VPN connection using Clientless SSL VPN feature.
Related posts in this blog:

1. Topology

Monday, January 11, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (1) - High Availability IPSec

IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication among participating peers. It provides these security services at the IP layer; it uses Internetwork Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPsec. You can use IPsec to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

“IKE,” which stands for “Internet Key Exchange,” is a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely. IKE was introduced in 1998 and was later superseded by version 2 roughly 7 years later.

This post summarizes typical Cisco IOS IPSec VPN IKEv1 set up. It includes standalone or High Availability implementation. The next post will includes how to use different CA to authenticate IKE.  It focus on IKEv1 (Internet Key Exchange version 1). Later IKEv2 will be summarized in this blog.

Typical Topology:
R1: G0/0 - (It is VIP in high availability deployment)
R2: G0/0 -

R1: G0/1 - Internal Interface for network 192.168.20.x/24
R2: G0/1 - Internal Interface for network 172.21.91.x/24

Saturday, January 9, 2016

Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment

Digital certificates as an authentication method for IPSec VPNs is becoming increasingly popular for both remote access and site-to-site deployments. The use of digital certificates requires some form of PKI infrastructure such as a CA server. In this post, Symantec public CA will be used as an example to authenticate certificates used between two IPSec VPN gateways. There are some other posts in this blog relating to this topics, please check them using following list:

This post is mainly used to document the steps how to built a Third Party Based Certificates IPSec VPN, including how to submit gateway's CSR to Symantec and get your certs signed by Symantec CA and how to install those signed certs on your gateways. The first 8 steps are same for both for standalone deployment and high availability implementation. Only difference will be at step 9 for only used in high availability configuration.

Wednesday, January 6, 2016

Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) - Using Two Different CA Certificates

Pre-shared keys and digital certificates are two primary authentication methods in IKE that can be used in the context of IPSec VPN deployments.

Digital certificates provide a means to digitally authenticate devices and individual users. An individual that wishes to send encrypted data obtains a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available. The recipient of the encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA, and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply. Public key infrastructure (PKI) is the enabler for managing digital certificates for IPSec VPN deployment. The most widely used format for digital certificates is X.509, which is supported by Cisco IOS.

Saturday, August 15, 2015

Policy Based IPSec VPN Configuration Between SRX Firewalls

Juniper SRX support both Route-based and Policy-based VPN, which can be used in different scenarios based on your environments and requirements. 

Difference between them (KB15745)

With policy-based VPN tunnels, a tunnel is treated as an object that together with source, destination, application, and action, comprises a tunnel policy that permits VPN traffic. In a policy-based VPN configuration, a tunnel policy specifically references a VPN tunnel by name.

With route-based VPNs, a policy does not specifically reference a VPN tunnel. Instead, the policy references a destination address. When the security device does a route lookup to find the interface through which it must send traffic to reach that address, it finds a route via a secure tunnel (ST) interface, which is bound to a specific VPN tunnel.

Thus, with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of a policy. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and the policy as a method for either permitting or denying the delivery of that traffic.

Friday, January 16, 2015

Using PKI Build Route-Based IPSec VPN between Juniper SRX

There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}[email protected]-1> request security pki generate-key-pair certificate-id PRO size 2048   
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair

[email protected]> clear security pki certificate-request ?
Possible completions:
  all                  Clear all certificate requests
  certificate-id       Certificate identifier
[email protected]> clear security pki certificate-request all      
[email protected]>request security pki generate-certificate-request certificate-id PRO subject ",OU=IT,O=John Yan Firm Inc.,L=Toronto,ST=ON,C=CA" email [email protected] filename ms-cert-req                                   
Generated certificate request
18:fc:10:eb:f8:8f:b9:08:25:64:02:9c:c0:12:56:74:3b:fb:f5:3d (sha1)
5b:8e:40:5c:68:21:51:ea:bf:42:f9:d4:c7:2c:2d:15 (md5)

3. Submit Cert Request to the CA and Retrieve Certs

Monday, December 15, 2014

Certificate Import Failed with "% Failed to parse or verify imported certificate" because of Verisign Using new Intermediate CA Certs G4


Worked on IPSec VPN Certificate for whole morning to try to import a certificate, finally gave up to ask support from Verisign. I did this many times and had detailed documentation recorded for steps. But this time, situation is different. 

My previous post clearly shows all steps I have to follow:
Unfortunately, this time the process stuck at the step 6 with error "% Failed to parse or verify imported certificate"

m-dmz(config)#crypto pki import VerisignCA1 certificate 

Friday, December 12, 2014

Certification based Cisco IPSec VPN Down Caused by 'signature invalid'


Recently, I were troubleshooting a IPSec VPN using Certificate issue. One IPSec VPN router got rebooted then IPSec tunnel was not able to be re-build. It tested fine with pre-share key. But when change back to certificate, ISAKMP authentication failure with 'signature invalid' error.