Showing posts with label VPN. Show all posts
Showing posts with label VPN. Show all posts

Saturday, August 2, 2014

Cisco VPN LAB 3 : A Simple DMVPN Configuration Example

1. Topology
a. Rack is from IOU v5. This lab will use seven routers to complete whole DMVPN configuration and test.


Sunday, June 1, 2014

Cisco VPN LAB 2 : IPSec VPN Example Between two ASA 8.4.2

Cisco VPN Lab Series:

Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

 Protocols and standards used in IPsec protocol suite:

- ESP (Encapsulation Security Payload)
- AH (Authentication header)
- IKE (Internet Key Exchange) - IKE phase 1 is used to secure management channel and setup the vpn channel
- encryption algorithms (DES,3DES,AES)
- DH (Diffie-Hellman group)
- Hash algorithms (MD5,SH1)
- SA (Security association)
- IPSEC -IPSEC or (IKE phase 2) is used to secure the real data thats wants to be secured.

Topology

 

Wednesday, May 21, 2014

Cisco VPN LAB 1: Simple Easy VPN Example between Routers

VPN Lab Series:
Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

Working on Easy VPN and DMVPN, I completed this first lab for EZVPN lab and also list some using resource at the bottom of this post.

1. Topology


It is still with my favorite IOU rack v3. The physical connection with IP addresses have been shown on the diagram.

R1 will be easy VPN server and R2 will be the client. This lab will show how to configure a basic easy vpn client / server set up. R3 and R6 will be only used to do test ping with only default route and interface ip configured on them.

2. Configuration: (Redundancy configuration have been omitted)




@EZVPN Server Configuration
R1#show run
Building configuration...

Current configuration : 2631 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1

!--- Enable Authentication, Authorizing and Accounting (AAA)
!--- for user authentication and group authorization.
aaa new-model
!--- Enable the AAA commands in order 
!--- to enable Xauth for user authentication.
aaa authorization network hw-client-groupname local 
!--- Enable the AAA commands
!--- in order to enable group authorization.
aaa authorization network groupauthor local 
!
!
!         
!
aaa session-id common
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
ip cef
no ip domain lookup
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated

!--- Define the username and password to use for Xauth.
username cisco password 0 cisco123
!
redundancy

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
!--- Create a group with the pre-shared key for IKE authentication.
crypto isakmp client configuration group hw-client-groupname
 key hw-client-password

!--- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set transform-1 esp-des esp-sha-hmac 
!
!--- Create a dynamic map and
!--- apply the transform set that was created earlier.
crypto dynamic-map dynmap 1
 set transform-set transform-1 
 reverse-route
!
!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.
!--- These commands associate the AAA commands to the crypto map.
crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap 
!
!--- Apply the crypto map on the interface where
!--- traffic leaves the router.
interface Ethernet0/0
 description connected to Internet
 ip address 20.20.20.2 255.255.255.0
 crypto map dynmap
!
interface Ethernet0/1
 no ip address
 shutdown 
!
interface Ethernet0/2
 ip address 30.30.30.1 255.255.255.0
!
!
ip forward-protocol nd
!
!         
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
exception data-corruption buffer truncate

end

@EZVPN Client Configuration
R2#sh run
Building configuration...

Current configuration : 2420 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
security passwords min-length 1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name cisco.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
username cisco password 0 cisco123
!
redundancy
!--- Set the parameters to connect to the 
!--- appropriate Easy VPN group on the Easy VPN server.
crypto ipsec client ezvpn hw-client
 connect auto
 group hw-client-groupname key hw-client-password
 mode client
 peer 20.20.20.2
 xauth userid mode interactive
!
!--- Use the crypto ipsec client ezvpn <name> command on the
!--- interface that connects to the Easy VPN server
!--- in order to complete the Easy VPN.
interface Ethernet0/0
 description INTERNET
 ip address 20.20.20.1 255.255.255.0
 crypto ipsec client ezvpn hw-client


!--- Define the inside interfaces that will access 
!--- and can be accessed via Easy VPN.
interface Ethernet0/1
 description LAN
 ip address 10.10.10.1 255.255.255.0
 crypto ipsec client ezvpn hw-client inside
!
interface Ethernet0/2
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
exception data-corruption buffer truncate
end

3. Verify

R2#show crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 20.20.20.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 20.20.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x2B595786(727275398)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD56D693B(3580717371)

R2#show crypto ipsec client ezvpn 
Easy VPN Remote Phase: 8

Tunnel name : hw-client
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 30.30.30.20 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 30.30.30.10
DNS Secondary: 30.30.30.11
NBMS/WINS Primary: 30.30.30.12
NBMS/WINS Secondary: 30.30.30.13
Default Domain: cisco.com
Save Password: Disallowed
Current EzVPN Peer: 20.20.20.2

When ping from R2 (10.10.10.1) to R6 (30.30.30.30) and show crypto ipsec sa, we see encrypted packet is 5 but decrypted packet is 4. That is because first ping packet failed to reach the destination as we can see it from ping following result. After that, all ping packets will be encrypted and decrypted properly.

R2#ping 30.30.30.30 source 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.30.30.30, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms

R2#show crypto ipsec sa            

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 20.20.20.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 20.20.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

******Some Other Resources. 

From Cisco page:

  • Cisco Enhanced Easy VPN and DMVPN Comparison


Service/Feature Name

Enhanced Easy VPN

DMVPN

Scalability per Hub

Large number of spokes can be supported per hub

Depends on routing protocol chosen

Identical Configuration for All Spokes

Yes

No

Cross-Platform Support

Yes

No

Support for Software/Hardware Client

Yes

No software client support

Stateful Failover

No; but available with legacy Easy VPN

Depends on routing protocol for recovery

Always up Tunnel to Hub

Not required

Yes

Support for Multicast Traffic

Yes

Yes

Spoke-to-Spoke Direct Communication

No

Yes

Support for QoS

Yes

Yes

Support for Routing Protocols

No

Yes

Support for Certificates

Yes

Yes


  • Cisco Site-to-Site VPN Solution Comparison

Cisco GET-VPN

Cisco DMVPN

Cisco GRE-Based VPN

Cisco Easy VPN

Standard IPsec VPN

Tunnel-less VPN

Tunnel-based VPN

Customer Benefits

• Simplifies encryption integration on IP and Multiprotocol Label Switching (MPLS) WANs

• Simplifies encryption management through use of "group laying" instead of point-to-point key pairs

• Enables scalable and manageable any-to-any connectivitiy between sites

• Supports quality of services (QoS) multicase and routing

• Simplifies encryption of configuration and management for point-to-point GRE tunnels

• Supports QoS, multicast, and routing

• Enable transport of multicast and routing traffic across an IPsec VPN

• Support non-IP protocols

• Supports QoS

• Simplifies IPsec and remote-site device management through dynamic configuration policy-push

• Supports QoS

• Provides encryption between sites

• Supports QoS

When to Use

• Add encryption to MPLS or IP WANs while preserving any-to-any connectivity and networking features

• Other scalable, full-time meshing for IPsec VPNS

• Enables participation of smaller routers in meshed networks

• Simplifies encryption key management while supporting routing, QoS, and multicast

• Simplifies configuration for hub-and-spoke VPNs while supporting routing, QoS, and multicast

• Provides low-scale, on-demand meshing

• Use when routing must be supported across the VPN

• Use for same functions as hub-and-spoke DMVPN, but it requires more detailed configuration

• Use when simplifying overall VPN

• Configuration and management is the primary goal but only limited networking features are required

• Use to provide simple, unified configuration framework for mix of Cisco VPN products

• Use when multivendor interoperability is required

Product Interoperability

Cisco routers only

Cisco routers only

Cisco routers only

Cisco ASA 5500 Series, Cisco VPN 3000 Series, and Cisco PIX® Firewall

Mutlivendor

Scale

Thousands

Thousands hub and spoke; hundreds partially meshed spoke-to-spoke connections

Thousands

Thousands

Thousands

Provisioning and Management

CLI Cisco Security Manager

Cisco Security Manager and Cisco Router and Security Device Manager

Cisco Security Manager and Cisco Router and Security Device Manager

Configuration automatically pushed to remote sites from headend; headend policies defined in Cisco Security Manager or Cisco Router and Security Device Manager

Cisco Security Manager and Cisco Router and Security Device Manager

Topology

Hub and spoke; any-to-any

Hub and spoke on-demand spoke-to-spoke partial mesh; spoke-to-spoke connections automatically terminated when no traffic present

Hub and spoke; small-scale meshing as manageability allows

Hub and spoke

Hub and spoke; small-scale meshing as manageability allows

Routing

Supported; Cisco GET-VPN any-to-any connectivity capability can also be used to provide secure routing across any entire router backbone

Supported

Supported

Not Supported

Not Supported

QoS

Supported

Supported

Supported

Supported but QoS policy is not dynamically pushed to the remote sites

Supported

Multicast

Natively supported across MPLS and private IP networks, tunneled across Internet-based WANs

Tunneled

Tunneled

Not Supported

Not Supported

Non-IP Protocols

Not Supported

Not Supported

Supported

Not Supported

Not Supported

Private IP Addressing

Requires use of GRE or DMVPN with Cisco GET-VPN to support private addresses across public Internet backbones

Supported

Supported

Supported

Supported

High Availability

Routing

Routing

Routing

Stateless failover

Stateless failover


Monday, September 16, 2013

Cisco IOS IPSec VPN with External Trusted PKI Certs - Verisign

Topology:

using IOU Rack v3 from post

My Cisco IOU Racks - from flyxj IOUv3


It looks like following screenshot:
The goal is to achieve ipsec with third party trusted PKI certs - verisign. This lab will use verisign trial version  to demonstrate procedures.

Thursday, September 12, 2013

Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN

This lab will use Symantec Verisign Trial SSL Certificate and Checkpoint R76 installed on VMware to demonstrate the steps how to use external OPSEC PKI to authenticate IPSec VPN Tunnel

Topology:
The goal is to ping from 192.168.177.1 to 192.168.99.1 with RSA signature authentication method.

Monday, February 27, 2012

Cisco IOU IPsec Site to Site VPN with External Third Party CA (XCA) - Part 3


This is lab part 3 to verify three different  ipsec vpn authentication methods: Pre-share key, RSA key and CA. First two parts has been listed in previous posts. Here is last part - external CA.

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 1

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 2




This time, I will use CA signed certificates to build IPSec site to site vpn between two Cisco Routers. Topology is same as before and IOS info is in the following:

Monday, February 20, 2012

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 2


Cisco IOU IPsec Site to Site VPN with RSA key

Physical Diagram is still same as before. Since pre-shared key ipsec is already configured and working properly. The only thing needs to do is to change authentication method and import peer's public key. Of course have to generate your own private key and public first. Also, time on both devices will have to be synchronized.


Sunday, February 19, 2012

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 1

Cisco IOU IPsec Site to Site VPN 


R1#sh ver
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Experimental Version 12.4(20090407:185408) [yuiu-redbuild-V124_24_5_6_PIC1 177]
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 08-Apr-09 02:09 by yuiu

ROM: Bootstrap program is Linux

R1 uptime is 45 minutes
System returned to ROM by reload at 0
System image file is "unix:../i86bi_linux-adventerprisek9-ms"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
          
If you require further assistance please contact us by sending email to
[email protected]

Linux Unix (Intel-x86) processor with 40401K bytes of memory.
Processor board ID 1
8 Ethernet interfaces
8 Serial interfaces
16K bytes of NVRAM.

Configuration register is 0x0



R1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2.test.com      Eth 1/3            129           R       Linux Uni Eth 1/3

Physical Diagram





R1#sh run
Building configuration...

Current configuration : 2144 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
ip cef
ip domain name test.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 123456 address 12.1.1.2
!      
!
crypto ipsec transform-set P2-Transform esp-des esp-sha-hmac 
!
crypto map P2-Transform 10 ipsec-isakmp 
 set peer 12.1.1.2
 set transform-set P2-Transform 
 match address acl_vpn
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 ip address 12.1.1.1 255.255.255.0
 crypto map P2-Transform
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!      
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!      
no ip http server
no ip http secure-server
ip route 2.2.2.0 255.255.255.0 12.1.1.2
!
ip access-list extended acl_vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!

exception data-corruption buffer truncate
end

--------------------------------------------------------------------------------------------------------

R2#sh run
Building configuration...

Current configuration : 2128 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
!      
!
ip cef
ip domain name test.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 123456 address 12.1.1.1
!      
!
crypto ipsec transform-set P2-Tran esp-des esp-sha-hmac 
!
crypto map P1-P2-Map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set P2-Tran 
 match address acl_vpn
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 ip address 12.1.1.2 255.255.255.0
 crypto map P1-P2-Map
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!      
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!      
no ip http server
no ip http secure-server
ip route 1.1.1.0 255.255.255.0 12.1.1.1
!
ip access-list extended acl_vpn
 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
exception data-corruption buffer truncate
end

--------------------------------------------------------------------------------------------

R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/24 ms

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
12.1.1.1        12.1.1.2        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R2#


Wednesday, December 28, 2011

Full Functional Free VPN over browsing port 80/443/8080 - proXPN.com

I has been busy in found a real vpn service which can encrypted your Internet activities from home or office. Mostly what I found a proxy or paid service which I already listed on previous posts. Happily announced here, in our world, there is real free online vpn service provider - proXPN.com . I am a little bit concern how this going to break our security policy and make it become a new security breach. Basically, it will auto-detect three ports opened by your firewall, tcp 80, tcp 443 and tcp8080, which are already opened by almost all firewalls to allow internet browsing.

This site give you a public ip from US which is only option from basic account (free service). But you will get more option once paid a little money monthly.
Your IP Address Is: 173.0.116 


thats screenshot how to get your free account. Please make sure you will select basic account service which will not charge you anything. 



Thats amazing.

all steps are listed on their website. Please check this site out and let me know if there is any issue.