VPN – Virtual Private Network

Cisco does have really Nice VPN termination gears, especially ASA 5500 series. I like those. They are easy to setup for VPN and they are easy to troubleshoot for VPN issues. However VPN or just Site-2-Site VPN are not that friendly on IOS routers.

To disable the don’t-fragment bit on Interface in case ISP does not like the MTU over IPSEC

Router(config)#interface gig 0/0

Router(config-if)#crypto ipsec df-bit clear

Use following commands to verify the settings of Site-2-Site VPN:

Router#show crypto session detail

Router#show crypto isakmp sa detail

Router#show crypto ipsec sa

Router#show crypto engine connections active

Router#show crypto engine connections dropped-packet

Router#show crypto engine connections flow

Router#show crypto engine qos

Router#debug crypto condition peer ipv4

Router#debug crypto isakmp

Router#debug crypto IPsec

Use following command to re-initiate the tunnel on IOS device:

Router#clear crypto sa peer

Advertisements

Windows Self-Signed Certificate…

Most servers and https/ssh capable devices contain a self-signed Certificate which should generally have expiry date longer than the life of that device. So user/admin does not have to pay special attention to the specific expiration date of the Internet non-recognizable certificate. Generating certificate or certificate key is fairly easy other than on Windows server. Fortunately, Microsoft has a small command line utility “makecert.exe” that you can download for FREE to generate and install certificate locally. It is included in Microsoft SDK package. However the only problem is that sometimes it just doesn’t work, and it’s hard to determine what is wrong.

To generate and install, just run:

makecert -r -pe -n “CN=” -b 14/02/2012 -e 01/01/2100 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA Channel Cryptographic Provider” -sy 12

For IIS 6, Then go to the IIS Manager “Web Site Properties” -> “Directory Security” -> “Server Certificate…” -> “Replace the current certificate” and select the new certificate from the list.

For IIS 7, try yourself as I do not have a IIS 7 installed server.

Cisco context help…not always that helpful.

When you have not-short time with Cisco router/switch, you know “how helpful” the question mark “?” is. However is it really that helpful, my personal experience is “Yes, sometime… and also confusing sometime…” Here is an example to show my point, if you type-in following on a router/switch with 11.1 or newer IOS:

router(config)# aaa ?

new-model Enable NEW access control commands and functions. (Disables OLD commands.)

For someone who knows what s/he is doing, then the router is just helping her/him remember the command option and warning about the old login commands will be disabled. So person who is doing this needs to create local or remote accounts to prevent be locked out of device.

However, if someone is configuring AAA for the first time, does the context help make sense? What does it mean by “Disables OLD commands”? Which one(s) is/are THE OLD commands …

BTW, here below is also a neat “back-door” in case remote and/or local user database died (Not sure how can functioning device has a dead local user database though)

router(config)# aaa authentication login NO-LOGIN none

router(config)# line con 0

router(config-line)# login authentication NO-LOGIN

IPSEC L2L Tunnel and Static NAT

There is one tricky issue of IPSEC L2L Tunnel and Static NAT on cisco Router, even the one with IOS v15 (not sure why Cisco can not fix it out of box): if you have site2site vpn and one side running a static NAT mapping to internal host (such as web server). It should just work if the internal web server is accessed via public natted IP address from Internet but the natting router will do tricky thing of the return traffic if it is accessed via private IP through tunnel as router doesnot know where should the return traffic to be sent, to tunnel or just external interface as of the static NAT.

Here below is an sample of work around.
Drawing1

NOTE: There are no “special” configuration of RouterA and IPSEC L2L tunnel. Like the diagram shows, host 192.168.5.10 behind RouterB is running a surveillance camera page which can be accessed on port 80. We would need employee to access the surveillance camera via private IP directly or through VPN tunnel while in office and via public IP while out of office.

Create ACL to match the NAT traffic:
RouterB(config)# ip access-list ext nat-traffic-acl deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext nat-traffic-acl permit ip 192.168.5.0 0.0.0.255 any

Create route-map for dynamic/overloaded NAT:
RouterB(config)# route-map NAT_TRAFFIC permit 1
RouterB(config-route-map)# match ip address nat-traffic-acl

Create dynamic and static NAT:
RouterB(config)# ip nat inside source route-map NAT_TRAFFIC interface GigabitEthernet0/0 overload
RouterB(config)# ip nat inside source static tcp 192.168.5.10 80 1.2.3.4 8000 route-map NO-STATIC-NAT extendable

NOTE: You can not map port 80 for translation if http is enabled on router for management.

Create ACL for traffic should NOT be NATed:
RouterB(config)# ip access-list ext no-static-nat-acl deny ip host 192.168.5.10 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext no-static-nat-acl permit ip 192.168.5.0 0.0.0.255 any

Create route-map to by-pass the static nat:
RouterB(config)# route-map NO-STATIC-NAT permit 1
RouterB(config-route-map)# match ip address no-static-nat-acl

So the surveillance camera page can be accessed via “http://192.168.5.10” internally OR “http:1.2.3.4:8000” externally.

Notepad Hack

Since I do not need the UTF-8 editing from notepad++ that seriously, I switched to Notepad coming with windows. While one thing I noticed right away is “Status Bar” in notepad is disabled if enabling Word wrapping…! Why you want to do that, Microsoft!!! I would like to know the statistic, like line and column number.

Luckily, there is simply enough registry hack to get around it. Basically you need to enable the work wrap and close notepad. Then just open regedit and navigate to “HKEY_CURRENT_USER\Software\Microsoft\Notepad” and modify StatusBar value from 0 to 1.

How To Enable Notepad Status Bar In Windows 7.

HP Networking…

How many people use HP gears for serious networking? I doubt many.

I personally just found that HP Procurve switches can not do per-vlan spanning-tree!!! why!? why hp even put this kind of device to market!! I guess it was our bad to select them in our data center to just save some bucks… Plus I doubt HP even has a switch model can do ACL.

For wireless, HP does provide light-weight AP and controller package. However it does not work!!! It does not work well with Active Directory auth, Light-weight AP can not connect to Controller if AP is connected to other vlan than vlan 1…

I just do not recommend HP for networking, PERIOD.

Cross-Over cable helps

Cisco to Cisco normally means problem free in networking world, right? Not all the time…

Some say in Cisco world, if there is a setting with auto option, then you auto do not use that option. I follow the “rule” most of the time.

2 Cisco mid-range switches connected together with a CAT5 cable and one end was initially configured for full duplex 100mbps and the other end is auto negotiation. I then found the auto end was only running as half duplex 100mbps. So I thought I need to hardcode the value to match the other to improve the link performance. After the speed and duplex setting, I typed in “shut” (interface light went dark), then “no shut” (interface light stayed dark)… Ran the commands again, same thing… Bad cable? …

Long story short, the “Bad Cable” was a straight-through cable and it does not work on 10/100 link between 2 switches!!! (here is a animation that shows why) If I used a gigbit interface on either end, I would not have the issue OR if I remember the basic to use cross-over cable between 10/100 interfaces to connect switches, I would not have issue either.

As of 2012, most of the business class switches are Gigbit capable or 10 Gigbit capable switches. Those high speed interfaces are not only faster and they also help you do other stuffs. People now start to forget what was required in old days and do not even have cross-over cables anymore…

BTW, avoid entering data-center at 4:30 PM Friday if you can 🙂

Layer 2 Over Internet

It is pretty cool technology that you can build a Layer 2 network between offices over Internet. However ISP normally would tweak specifically for you in order to make the link purely like a layer 2 connection, Especially QnQ. ISP has to manually disable the mac-address learning of their VLAN encapsulate your circuit. So the ARP traffic for your own/real VLAN will be able to flow through.

Read also.

ISO Site-2-Site VPN from CLI

Since ASDM and CCP are mature enough, almost no one goes to CLI naturally when configuring Site-2-Site VPN. However manual stuff are always handy. I found this recipe in my Archive from when I was learning for CCSP… Still pretty neat after 4.5 years.

Documentation:

1. Document your IKE Phase 1 negotiation criteria (example below)

o Encryption algorithm: AES-128

o Hashing: SHA-1

o Authentication: pre-shared

o Key exchange: Diffie-Hellman Group 2 

2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)

o Encryption algorithm: esp-aes 128

o Authentication: esp-sha-hmac

Configuring IKE Phase 1: 

1. Enable ISAKMP: Router(config)#crypto isakmp enable

2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>

o Router(config)#crypto isakmp policy 10

· Router(config-isakmp)#encryption aes 128

· Router(config-isakmp)#authentication pre-share

· Router(config-isakmp)#group 2

· Router(config-isakmp)#hash sha

3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity

4. Configure pre-shared keys: Router(config)#crypto isakmp key address

Configuring IKE Phase 2:

1. Create transform sets: Router(config)#crypto ipsec transform-set

o Router(config)#crypto ipsec transform-set L2L-VPN-SET esp-aes 128 esp-sha-hmac

2. (optional) Configure IPSec lifetime: Router(config)#crypto ipsec security-association lifetime 

3. Create mirrored extended numbered/named ACLs matching traffic to be encrypted and the traffic expected to be received encrypted 

4. Set up IPSec crypto-map: Router(config)#crypto map ipsec-isakmp

o Router(config)#crypto map L2L-VPN-MAP 10 ipsec-isakmp

· Router(config-crypto-map)#match address

· Router(config-crypto-map)#set peer

· Router(config-crypto-map)#set pfs (optional)

· Router(config-crypto-map)#set transform-set

5. Apply the crypto map to interface that VPN will initiate and terminate:

o Router(config)#interface

o Router(config-if)#crypto map L2L-VPN-MAP 

Verification:

o show crypto isakmp policy

o show crypto ipsec transform-set

o show crypto isakmp sa (Phase 1)

o show crypto ipsec sa (Phase 2)

o show crypto map

o debug crypto isakmp (Phase 1)

o debug crypto ipsec(Phase 2)