Virtual Machines and Home Lab’s. Why do the vendors make it so hard ?

I am a big fan of running everything virtually.  There used to be day when I had a ton of kit but now all I have is a small HP Microserver, an i7 Lenovo desktop PC, Lenovo T440S i7 Laptop and an i3 Surface Pro 3. I use VMware Workstation 10 as much as I can.   I used to use Virtual Box back in the day but found it just too troublesome with converting VM’s from manufacturers.

Most of the time it is very easy to download a virtual machine from a manufacturer and it will just run.  Juniper, Microsoft and some others are good.  Some will be in VMware appliance formats.  Others use the open OVA format.  Others such as Cisco, F5 and Fortinet will only support OVA’s that you can only import into ESX.  Workstations fails with various errors even though  – in theory – OVA is an open, portable format  …….

My fix is do this:

1) Download VMware ESX evaluation

2) Install as a VM within VMware Workstation

3) Navigate to the ESX Managment address via a browser.   Either use the Web GUI or vCentre GUI

4) Import the OVA into ESX

5) Once imported.   Navigate to the Data Store Browser.

6) Copy out the whole folder for the imported VM

7) Open the VMX in VMware Workstation.

8) Edit the NIC’s etc as nessiary

9) Start the VM

That seems to always work for me !

 

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 4 – More ASA Side

Some parts I forgot from the last few posts.

The ASA also uses Group Policy (not AD group policy!) configuration.  In here you set useful things such as DNS, domain and other properties.  Its also the area to configure specifics for the IPSEC Phase 2 connection.   I normally use a GP per connection as its allows some flexibility when making changes later on.  You can also set some values within the default group policy that will be standard over the whole of your ASA, which depending on if inherit is turned on or not get set.

For Apple iOS devices IP Compression and PFS have to be turned on.  On Android, these are not.  You get a strange symptom (if set) where the Android handset claims its connected (and the ASA even issues an IP address) but the device never shows connected in ASDM.  It was only with use of various debugs that I managed to find this out.

Group policies therefore are:

!Apple iOS
group-policy GP_iOS internal
group-policy GP_iOS attributes
 dns-server value 10.100.200.10 10.100.202.10
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 
 ip-comp enable
 pfs enable
 default-domain value mydomain.local

!Android
 group-policy GP_ANDR internal
 group-policy GP_ANDR attributes
  dns-server value 10.100.202.10 10.100.200.10
  vpn-session-timeout none
  vpn-tunnel-protocol ikev1 
  default-domain value mydomain.local

That should complete all of the configuration requried to allow iOS and Android devices to connect to a Cisco ASA using the inbuilt native IPSEC client using x509 certificates.   You really arn’t using Pre Shared Keys in this day and age are you ?

Putty – Session Logs

A useful feature when you are working on multiple devices is to keep as session log for every session.  You can then easilly see what you have typed or provide evidence.

To configure this for every session:

1) Open Putty

2) Select the Default Settings and press Load

3) Navigate to Session > Logging

4) Set the Log file name in a format that makes sence to you.  You can see mine

5) Navigate back to the sessions, making sure Default Settings is still highlighted and then press Save

Test !

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication – Part 2

So the previous thread we were discussing Apple iOS.  Now you may have had the same issues with Andoid with it becomming more popular.

First issue when configuring the ASA is the IKEv1 key exchange that goes on.  When a device attempts to connect, the client is asked to provide all of the key schemes that it supports.  Android 4.1+ and IOS 7 give out (in order)

Android

AES-CBC 256 Seconds 28800 SHA1 DH Gp 2
AES-CBC 256 Seconds 28800 MD5 DH Gp 2
AES-CBC 128 Seconds 28800 SHA1 DH Gp 2
AES-CBC 128 Seconds 28800 MD5 DH Gp 2
3DES-CBC Seconds 28800 SHA1 DH Gp 2
3DES-CBC Seconds 28800 MD5 DH Gp 2
DES-CBC Seconds 28800 SHA1 DH Gp 2
DES-CBC Seconds 28800 MD5 DH Gp 2

iOS 7

AES-CBC 256 Seconds 3600 SHA1 DH Gp 5
AES-CBC 256 Seconds 3600 SHA1 DH Gp 2
AES-CBC 128 Seconds 3600 SHA1 DH Gp 2
AES-CBC 256 Seconds 3600 MD5 DH Gp 5
AES-CBC 256 Seconds 3600 MD5 DH Gp 2
AES-CBC 128 Seconds 3600 MD5 DH Gp 2
3DES-CBC Seconds 3600 SHA1 DH Gp 2
3DES-CBC Seconds 3600 MD5 DH Gp 2
DES-CBC Seconds 3600 SHA1 DH Gp 2
DES-CBC Seconds 3600 MD5 DH Gp 2

Now we have these values we can look at configuring the ASA to support native IOS and Andoid clients using x509 Certificate authentication.   Its pretty obvious that the top one is the most secure, trailing off to blatantly insecure…….

Time for post 3……..

VMware Workstation 8 – WAN simulation (Awesome feature alert)

Just found an awsome feature…… a bandwidth and interface error generator for each virtual NIC.  Great if you are doing Proof of Concept testing for high latency or even 3G simulated links.

To configure, locate the virtual NIC properties and press ‘Advanced’

VMw-Net1
Then you will be shown this screen.  You can select preset bandwidth in both directions and packet loss

VMw-Net2

Its truly an awsome product that amazes me each time I try to do somthing

Native Apple iOS Client to Cisco ASA VPN using Certificate Authentication – Part 1

I have been working on this for a while now.  Because of a variety of reasons that I can’t go into here some of my configuration was mandatory.

The Apple iOS (used on iPhone, iPad and iPod Touch) has an in-built VPN client that Cisco assisted with development.  It supports PPTP, L2TP and IPSEC.  Unless you are crazy you would only seriously use IPSEC.  However, it only supports IPSEC using IKEv1 key negotiation.  Unless you have a specific reason really only IKEv2 should be used a it has a number of performance and security benefits.  So that causes a problem with iOS devices.

Using a IKEv1 in conjunction with a group/pre-shared key is well documented and simple to get working.  If you are using Certificates then it gets a whole lot interesting.

One fix is to use the AnyConnect client from the App Store.  This is free to download and can be deployed using the Apple Configurator utility from a Mac OSX device.  This allows SSL VPN as well as IPSEC IKEv2 connections (in version 3.0 of the AnyConnect iOS/Andriod client) and has enterprise grade tools such as logging, diagnotics and a tool similar to the DART utility that the desktop AnyConnect has.

The difficulty with this is that even though you have purchased SSL VPN user licences (AnyConnect Essentials or Premium) Cisco still want some more money in the guise of ‘AnyConnect Mobile’ licence.  These retail at around £500 but still another outlay you did not bargin for.  Also your security policy may mandate the use of the built in client so its time to roll up your sleeves.

So what’s it doing ?

As with most things, being able to see what the iOS device is actually doing would be a good start.  In Apples infinite wisdom any user messages are usually “cannot connect”, “unable to verify server” and not a lot else.

Armed with a Mac you do have a number of tools at your disposal.  Of course if you are reading this it stands a good chance you are doing this is a company and you will need a Mac to deploy Enterprise profiles to iOS devices as lets face it you really, really should lock those babies down.

1) Remember the Mac OSX VPN client is very similar to the iOS VPN client so if its possible to replicate the configuration on the Mac, you may see something more useful to start with.  In my experience you don’t but its worth mentioning.

2) Using Xcode its possible to see the iOS devices system log in realtime (equivalent of the /var/log/messages file)  From this you can see more useful messages from the client.  To do this:

  • Install either Xcode or the Apple Enterprise Configurator from http://www.apple.com/support/iphone/enterprise/  I used Xcode
  • Open Xcode, then select Window > Organiser
  • Connect to iOS device to your Mac using a USB cable
  • You should then be able to select the device then Console Log

3) For a low level view of what’s going on you can use the Mac to create a virtual interface to tunnel the iOS devices network traffic over.  From then you can use TcpDump to take packet captures.

You again need a Mac, USB cable and a utility from the App Store that you an pull the iOS’s UUID device down.  This is important.  I used UDID+ but there are others.   Quite how this will work when Apple remove it from iOS 6 is not well known…… anyhooo…..  Once you have the UDID run the following on the Mac

 $ # First get the current list of interfaces.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0
 $ # Then run the tool with the UDID of the device.
 $ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed
Starting device 74bd53c647548234ddcef0ee3abee616005051ed     [SUCCEEDED]
$ # Get the list of interfaces again, and you can see the new virtual
 $ # network interface, rvi0, added by the previous command.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

Then

$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.rpmuxd.plist

Now that you know the name of the RVI, you can point your packet trace tool at it. For example, he’s how you might run tcpdump to take a packet trace from the RVI.

$ sudo tcpdump -i rvi0 -n
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
 (BIOCPROMISC: Operation not supported on socket)
 tcpdump: WARNING: rvi0: no IPv4 address assigned
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes


When you’re done you can remove the RVI with the following command.

$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed
Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]

That should get you into a position you can debug the client traffic.  Simply open the captured traffic up in WireShark and you may have a clue…….

In part 2, Ill discuss ASA configuration and what works, what does not and what is an Cisco ASA bug !

RSA Authentication Manager–Custom Reports

Working with this product, its evident that the inbuilt reports are not that useful for certain things.   I wanted to find a way of logging users who have used SecurID to authenticate against a number of hosts.

So time to learn the custom queries section of the product, me thinks.

The Server is (obviously) SQL based.  The schema is fairly easy to understand, especially if you look at the examples within the help text or provided on the server.

It is possible to import my SQL scripts by creating a new Custom Query then pasting in the SQL. So…. scripts:

Todays Unique User Count

SELECT COUNT(DISTINCT chUserName) 
FROM SDLogEntry 
WHERE dtLocalDate = GMTDateNow   
AND iMessageNum = 1011   
AND (CHClientName = "host1" OR CHClientName = "host2")

Remember to change the host1 and host2 entries to your device host names obviously.  If you have more then add more to the last AND

Message Number 1011 is a ‘Passcode Successful’ – meaning a successful authentication

Todays Successful Users

SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
FROM SDLogEntry, SDLogMessage 
WHERE SDLogEntry.dtLocalDate = GMTDateNow   
AND SDLogEntry.iMessageNum = 1011   
AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

Again 1011 is a successful passcode.

This uses a select from multiple tables to get the actual description of the message number to make the report more readable.

Todays Failures

SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
FROM SDLogEntry, SDLogMessage 
WHERE SDLogEntry.dtLocalDate = GMTDateNow   
AND SDLogEntry.iMessageNum <> 1011   
AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

This uses the same format as success but with a ‘not’ 1011.  The report can be useful to troubleshoot users having problems or who are dim :)

Using Arguments to Select Dates

All of the above are for a single day, which is which is specified by the ‘GMTDateNow’ value.  This can be changed to use Argument Selectors which you can build in the same screen as the SQL entry.  Thus an example of ‘Successful Users’ would be:

SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
FROM SDLogEntry, SDLogMessage 
WHERE SDLogEntry.dtLocalDate > ARG01 AND SDLogEntry.dtLocalDate < ARG02
AND SDLogEntry.iMessageNum = 1011   
AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

Where ARG01 = Start Date and ARG02 = End Date

These can be applied to any of the reports.

Other Information

One thing I found is that the custom queries are stored locally on the machine that create the reports so to share them to others you have to use a fileshare, USB disk or similar method.

Also the HTML format reports aren’t to bad so its worth a look at using this output method.

Useful IOS commands

Shamefully taken from  https://www.eng.uwaterloo.ca/twiki/bin/view/Engcomp/CommonCiscoCommands

To enable privileged command mode

enable

To enter switch configuration mode (from privileged command mode)

configure terminal

To enter port configuration mode (from switch configuration mode)

interface FastEthernet0/5

To return from one mode to the previous mode

exit

To show the mac table

show mac-address-table

To show port information

show interfaces

To show the switch version

show version

To save the configuration

write memory

To show the configuration

show running-config

To set the port description of FastEthernet0/5 to “engmail”

configure terminal
interface FastEthernet0/5
description engmail
exit

To remove the port description from FastEthernet0/5

configure terminal
interface FastEthernet0/5
no description
exit

To set FastEthernet0/5 to 100/full

configure terminal
interface FastEthernet0/5
speed 100
duplex full
exit

To set FastEthernet0/5 to auto/auto

configure terminal
interface FastEthernet0/5
speed auto
duplex auto
exit

To turn FastEthernet0/5 into a dot1q trunk

configure terminal
interface FastEthernet0/5
no switchport access vlan
switchport mode trunk
switchport trunk encapsulation dot1q
exit

To turn FastEthernet0/5 into a non trunk

configure terminal
interface FastEthernet0/5
no switchport mode trunk
no switchport trunk encapsulation
no switchport trunk allowed vlan
no switchport trunk native vlan
switchport mode access
exit

To set the allowed vlans on trunk port FastEthernet0/5 to 20,50,100

configure terminal
interface FastEthernet0/5
switchport trunk allowed vlan 20,50,100
exit

To remove the allowed vlans from trunk port FastEthernet0/5 (will default to all vlans in vlan database)

configure terminal
interface FastEthernet0/5
no switchport trunk allowed vlan
exit

To restrict the number of mac address on FastEthernet0/5 to 1

2900/3500 series…

configure terminal
interface FastEthernet0/5
port security max-mac-count 1
exit

2950/3550 series…

conf term
interface FastEthernet0/5
switchport port-security
switchport port-security maximum 1
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security aging static
exit

To remove the mac address restriction from FastEthernet0/5

configure terminal
interface FastEthernet0/5
no port security
exit

To set the vlan on FastEthernet0/5 to 150

configure terminal
interface FastEthernet0/5
switchport access vlan 150
exit

To remove the vlan from FastEthernet0/5 (port will default to vlan 1)

configure terminal
interface FastEthernet0/5
no switchport access vlan
exit

To set the native vlan (untagged vlan) on trunk FastEthernet0/5 to 75

configure terminal
interface FastEthernet0/5
switchport trunk native vlan 75
exit

To remove the native vlan (untagged vlan) from trunk FastEthernet0/5

configure terminal
interface FastEthernet0/5
no switchport trunk native vlan
exit

To set FastEthernet0/5 to portfast

configure terminal
interface FastEthernet0/5
spanning-tree portfast
exit

To set FastEthernet0/5 to not be portfast

configure terminal
interface FastEthernet0/5
no spanning-tree portfast
exit

To disable spanning tree on vlan 20

configure terminal
no span vlan 20
exit

To enable spanning tree on vlan 20

configure terminal
span vlan 20
exit

To disable port FastEthernet0/5

configure terminal
interface FastEthernet0/5
shutdown
exit

To enable port FastEthernet0/5

configure terminal
interface FastEthernet0/5
no shutdown
exit

To get a GBIC port to talk to a BayStack

configure terminal
interface GigabitEthernet0/2
no negotiation auto
exit

IOS upgrade (general procedure)

Important. Read the Cisco documentation. This procedure is minimal, and does not install the web management interface. Do not follow these instructions unless you are familliar with the procedure.

dir flash:

delete the html directory, and diag file (if any)

delete flash:html/*

rename the existing image to the name of the new image

rename flash:c3500XL-c3h2s-mz.120-5.WC2.bin flash:c3500xl-c3h2s-mz.120-5.WC5a.bin 

conf term
boot system flash:c3500xl-c3h2s-mz.120-5.WC5a.bin
exit 

copy tftp://129.97.x.y/tmpdata/c3500xl-c3h2s-mz.120-5.WC5a.bin flash:c3500xl-c3h2s-mz.120-5.WC5a.bin

copy flash:c3500xl-c3h2s-mz.120-5.WC5a.bin tftp://129.97.x.y/tmpdata/junk

check the md5 on junk compared to c3500xl-c3h2s-mz.120-5.WC5a.bin before doing the reload

write mem
reload