IPSec tunnel with Policy-Based NAT on Fortigate

First, here is the highlevel diagram

Drawing1

The requirements are:

1. Establish IPSec VPN Tunnel between Fortigate and Cisco ASA

2. Translate the Source IP address to 10.153.153.0/24 when 10.100.100.0/24 connect to 172.24.200.0/24 via the IPSec tunnel.

3. Do not translate 172.24.200.0/24 when connect to 10.153.153.0/24 via IPSec tunnel.

With end using ASA, this is just a standard IPSec tunnel setup. Even replace the Fortigate with an ASA, the configuration is fairly straight forward. But with Fortigate, it is a little bit tricky, at least at the very beginning. Because there is no GUI configuration option in my FortiOS 5.2 to create such tunnel. So I have to start from CLI.

Here below are the configuration put onto the Fortigate.

config firewall address
edit "LocalSubnet-RealIP-1"
set associated-interface "LAN"
set subnet 10.100.100.1 255.255.255.0
next
edit "LocalSubnet-RealIP-2"
set associated-interface "LAN"
set subnet 10.100.100.2 255.255.255.0
next
edit "RemoteSubnet"
set subnet 172.24.200.0 255.255.255.0
next
end

config vpn ipsec phase1
edit "Tunnel4Test"
set interface "WAN"
set nattraversal disable
set proposal aes128-sha1 3des-sha1
set dhgrp 5 2
set remote-gw 204.204.204.18
set psksecret ENC YHbmejTH3Doryywk/KkQZ+qWXBEOP1RScs+ewjBmhzXcTguEdmuKsW8g==
next
end

config vpn ipsec phase2
edit "Tunnel4TestP2"
set phase1name "Tunnel4Test"
set use-natip disable
set proposal aes128-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set dst-addr-type ip
set src-subnet 10.153.153.0 255.255.255.0
set dst-subnet 172.24.200.0 255.255.255.0
next
end

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-1"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.1 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
edit 2
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-2"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.2 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
end

 
Once the initial configuration is done on Fortigate, you can then modify the settings from GUI.

Advertisements

Did I configure the QoS Policy Wrong!!??

“The short answer is maybe”. This was what I gave to one of the customers when he asked me.

The story was he has Cisco 2960-S switches and configure policy-maps for prioritize the Voice Traffic. But when he run “show policy-map interface” on any of his switch, he got no matches…

There is indeed an known bug for the 2960 switch but somehow Cisco only identifies it for IOS 12 while my customer is using IOS 15… Being lazy??…

Anyhow, “show mls qos interface statistics” does show the matches.

openSUSE as I-CAP Server for Content filter

Components needs to be installed on openSUSE 13.2:

  • Squid
  • ClamAV
  • C-ICAP
  • SquidClamAV

They can all be found by searching on openSUSE Website. I used 1-Click install to add the repository as well.

Once the components are installed, add followings to be started automatically during system boot:

  • squid
  • clamd
  • c-icap

You can restart any of those services by running: rc(service-name) restart, e.g. rcsquid restart

I did not put too much customized configuration into squid and/or c-icap. Here below are the configures I added on top of the default configuration.

For Squid(/etc/squid/squid.conf):

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

For C-ICAP(/etc/c-icap/c-icap.conf): Only updated ServerAdmin, ServerName values and added following line.

Service squidclamav squidclamav.so

For ClamAV(/etc/freshclam.conf): Uncomment the line below and Change “XY” to your country code. I am in Canada so I used CA.

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.ca.clamav.net
DatabaseMirror database.clamav.net

Donot forget to add “TCP/1344” as allowed service on openSUSE Firewall.

NOTE: if file scanning is needed, the maxsize value inside /etc/squidclamav.conf file and StreamMaxLength value in /etc/clamd.conf need to be adjusted accordingly.

L2TPv3 Tunnel

Recently got the question: how can we solution a DR site for a medium business customer? Top of my head is Fabric Path or TRILL but not likely they are going to buy and upgrade their infrastructure. So we had to go cheap. I then start to manipulate L2TPv3 tunnel setup in GNS3.

topology

Since it is lab, why not go fancy: L2TPv3 “mesh” over IPsec!!!

I spent too much time on manipulating configuration already so just attached the configuration file below for your reference. If you think there is content from your publishing, then that is probably because I was reading yours during my troubleshoot…So please contact me if you prefer to have your name listed for credit 🙂

+++++++++++++++ISP++++++++++++++++++
hostname ISP
!
interface Loopback0
ip address 10.0.4.4 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.4 255.255.255.0
speed 100
full-duplex
no shut
interface FastEthernet 0/1
ip address 4.2.2.4 255.255.255.0
speed 100
full-duplex
no shut
!
interface FastEthernet1/0
ip address 4.3.3.4 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.4.4
network 0.0.0.0 255.255.255.255 area 0
+++++++++++++++HQ++++++++++++++++++
hostname HQ
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.1 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.1.1
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class HQ2R2
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet0/1
description HQ_LAN_R2Branch
no ip address
no shut
no cdp enable
xconnect 10.0.2.2 100 encap l2tpv3 manual pw-class HQ2R2
l2tp id 100 200
l2tp hello L2TPV3class
!
pseudowire-class HQ2R3
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description HQ_LAN_R3Branch
no ip address
no shut
no cdp enable
xconnect 10.0.3.3 101 encap l2tpv3 manual pw-class HQ2R3
l2tp id 103 301
l2tp hello L2TPV3class
+++++++++++++++Branch2++++++++++++++++++
hostname Branch2
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
!
default inter fa0/0
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.2.2.2 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.2.2
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R22HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description R2Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 200 encap l2tpv3 manual pw-class R22HQ
l2tp id 200 100
l2tp hello L2TPV3class
!
+++++++++++++++Branch3++++++++++++++++++
hostname Branch3
!
interface Loopback0
ip address 10.0.3.3 255.255.255.255
!
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.3.3.3 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.3.3
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R32HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
default inter fa1/0
interface FastEthernet1/0
description R3Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 301 encap l2tpv3 manual pw-class R32HQ
l2tp id 301 103
l2tp hello L2TPV3class
!
++++++++++++HQ IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set HQ-TRANSFORM esp-3des esp-sha-hmac
!
crypto map HQ2Others 100 ipsec-isakmp
set peer 4.3.3.3
set transform-set HQ-TRANSFORM
match address 110
crypto map HQ2Others 200 ipsec-isakmp
set peer 4.2.2.2
set transform-set HQ-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.4.4.1 host 4.2.2.2
access-list 110 permit ip host 4.4.4.1 host 4.3.3.3
!
interface FastEthernet0/0
crypto map HQ2Others
!
++++++++++++Branch2 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R2-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R22HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R2-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.2.2.2 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R22HQ
!
++++++++++++Branch3 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R3-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R32HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R3-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.3.3.3 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R32HQ

Disable Windows Live ID SSO for IE 11

With release of Windows 8/8.1, Windows account, previously called live ID, is required to setup the OS.

When you open IE and access some Microsoft owned/integrated websites, like live.com, your pre-entered windows account will be used by IE automatically. However there are times you just need to use other account to login. Here below is a work around:

There are cookies saved in the registry under
HKCU\Software\Microsoft\AuthCookies\Live. 

Just delete the Live subkey and change the permissions so that your daily account does not have permission to create new subkey.

Traffic Capture on IOS router

Ever run into scenario that you need to capture the traffic on production network but you can not do SPAN or put the capture device inline to network without bring down network briefly? The answer is capture on the IOS router directly.

First, Create a monitor buffer on router:

Router# monitor capture buffer MYCAPBUFFER Circular

Then create a capture point on router:

Router# monitor capture point ip cef MYCAP serial 1/0 both

Then, Associate the buffer and capture point

Router# monitor capture point associate MYCAP MYCAPBUFFER

Now, Turn on the capture point

Router# monitor capture point start MYCAP

The following message should show up on the console of router.

*May 2 16:25:46.727: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

Then try to generate some traffic on network, or simply just use ping. 

Once you think enough traffic has been generated and captured, stop the traffic capture

Router# monitor capture point stop MYCAP

You can view the status of capture, it should show “inactive”.

Router# show monitor capture buffer all parameters

You can also view the traffic dump on router but not much making sense to me though…

Router# show monitor capture buffer MYCAPBUFFER dump

Router# show monitor capture buffer MYCAPBUFFER

I prefer to Export the dump/capture into a proper capture file for further analysis

Router# monitor capture buffer MYCAPBUFFER export ?

bootflash: Location to dump buffer

disk0:     Location to dump buffer

disk1:     Location to dump buffer

flash:     Location to dump buffer

ftp:       Location to dump buffer

http:       Location to dump buffer

https:     Location to dump buffer

pram:       Location to dump buffer

rcp:       Location to dump buffer

scp:       Location to dump buffer

slot0:     Location to dump buffer

slot1:     Location to dump buffer

tftp:       Location to dump buffer

Remote Access vCloud Director VM Console

Not sure if VMware did not do the documentation properly OR I did not read it properly. It took me over 2-day to figure out how to setup vCloud Director to provide VM console access of VM to authorized user on Internet. The highlevel diagram is attached below. This might not be the best setup but works and makes sense to me.
Image
The configuration on Firewall (I use ASA):
  1. Configure Static NAT for 172.16.8.10 to 1.2.3.4. So user on Internet can access 1.2.3.4 to login to vCloud Director portal
  2. Configure identity NAT between External and LAN interfaces: for any traffic, which arrives on External interface of firewall, destines for 1.2.3.5, firewall will translate the source address to 1.1.1.1 and destination address to 172.16.9.10
The configuration on vCloud Director (I use centOS with 2 NICs and default gateway 172.16.8.1):
  1. Set the external proxy IP to 1.2.3.5 in the vCloud Director management portal
  2. Add static route in centOS: Send traffic to 172.16.9.2 if the destination address is 1.1.1.1

Names for special characters on keyboard

I am not sure if school teaches the names for special characters/signs on keyboard in English speaking countries, but we did not have these taught in School or at least shown in text book in China.

So if you have no knowledge or limited knowledge of the names for keyboard signs, here you have the list to help you:

‘~’ -> ’tilde dash’

‘`’ -> ‘backquote’

‘!’ -> ‘exclamation mark’

‘@’ -> ‘at sign’

‘#’ -> ‘number sign’ or ‘hash’ or ‘pump sign’

‘$’ -> ‘dollar sign’

‘%’ -> ‘percentage sign’

‘^’ -> ‘caret sign’

‘&’ -> ‘ampersand’

‘*’ -> ‘asterisk’ or ‘star sign’

‘(‘ -> ‘parenleft’ or ‘opening parentheses’

‘)’ -> ‘parenright’ or ‘closing parenteses’

‘-‘ -> ‘minus’

‘_’ -> ‘underscore’

‘+’ -> ‘plus’

‘=’ -> ‘equal’

‘{‘ -> ‘braceleft’

‘[‘ -> ‘bracketleft’

‘}’ -> ‘braceright’

‘]’ -> ‘bracketright’

‘|’ -> ‘bar’

‘\’ -> ‘back slash’

‘:’ -> ‘colon’

‘;’ -> ‘semicolon’

‘”‘ -> ‘double quote’

”’ -> ‘single quote’

‘<‘ -> ‘less than sign’

‘,’ -> ‘comma’

‘>’ -> ‘greater than sign’

‘.’ -> ‘period’

‘?’ -> ‘question mark’

‘/’ -> ‘forward slash’

‘ ‘ -> ‘space’