Kevsters Blog

My little part of the Internet

Page 2 of 7

Windows Phone 8.1 to Cisco ASA VPN – Part 2

AnyConnect-logo  Cisco have now released a BETA AnyConnect client for Windows Phone 8.1 availible here  at the Windows Phone store
I havn’t tested the latest builds but the initial version had a few showstoppers that look like to have been fixed.  Remember this uses SSL/TLS encryption only and your local security policy may mandate the use of IPsec, along with all its issues !
Also they dont appear to have fixed the session timeout bug so that may cause a few headaches with disconnects.

Windows Phone 8.1 to Cisco ASA VPN

[There is next to no information availible on this around so this was borne out of experimentation and a lot of packet capture analytics]
Update:  Since testing this I have since found that L2TP/IPsec does not work if the ASA is behind a NAT device.  This is because the WP81 device explicitly will not connect to a NAT-T device.  There is a registry key on Windows to enable this, however nothing on WP8.  
Windows Phone 8.1 introduced a Native VPN client to the operating system.  It allows L2TP/IPsec and IPSEC IKEv2 nativly, and various SSL VPN providers via plug ins downloaded from the Windows Store.  At the moment Juniper, Checkpoint and F5 have all made clients.  Sadly Cisco has not yet, although is due to release one by mid 2015.
This leaves organisations with a quandry not being able to support Windows Phone.   This is a shame as the platform appears to try to support strong authentication and encryption schemes where possible.
You would like to think that Windows Phone supporting IKEv2 and Cisco AnyConnect 3.x/4.x’s IPSEC implmentation using only IKEv2 that it would interoperate.  Sadly it does not.  The ASA – for some reason – always believes the Windows Phone to be a L2L (LAN to LAN/Site to Site) VPN.  Repeated attempts could not get this to work.
Since writing the above and reading the Cisco documentation more, you need ASA to be at 9.3(2) or above to support 3rd Party IPSec clients.
IKEv2 Proposals send from Windows Phone (just for information) are:

3DES SHA1 DH Gp 2
AES-CBC 128 SHA1 DH Gp 2
3DES SHA256 DH Gp 2
AES-CBC 128 SHA256 DH Gp 2
AES-CBC 128 SHA384 DH Gp 2

I’m still battling the ASA/WP81 connection using IKEv2 and certificates.   The configuration appears to be a little problematic and current working solutions rely on the use of EAP for the client authentication.   However, if you want to do plain, boring, RSA certificate authentication at both ends it does not work due to the ASA wanting to use RSA and the WP81 devices trying to ECDHA which the ASA dosent offer  ….. [currently talking to TAC]
This only leaves L2TP/IPsec as an option, which the ASA does support.  Effectivly this uses an IKEv1 IPSEC channel to tunnel L2TP over.  L2TP is not a very secure protocol but is very good for tunneling, but over IPSEC it should be fine for most environments.  As mentioned IKEv1 is used and the following modes are proposed from Windows Phone:

AES-CBC 256 28800  seconds SHA1 DH Gp 20
AES-CBC 128 28800 seconds SHA1 DH Gp 19
AES-CBC 256 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 2

Testing with ASA code 9.2-ish (seems ok on 8.6-ish too), only the last mode (3DES, SHA1, DH Gp2) appears to work.   Not 100% sure of the reason, but I suspect Cisco only support DH Group 20, 19 and 14 when using IKEv2.  Thus on ASA side you need to add:

crypto ikev1 policy 5 (or whatever you have free)
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 28800

You then need to look at the IPSEC SA.  The ‘best’ I found to work was using AES128 with SHA1 hash.   The Windows client differs to a standard client in that it uses TRANSPORT mode, as apposed to TUNNEL mode.  Windows also has some values for SA lifetimes that need to be used.  Thus ASA config needs the following:

! Note:  My ASA external interface is called 'outside', YMMV
crypto dynamic-map outside_dyn_map 60000 set ikev1 transform-set ESP-AES-128-SHA-TRANS ESP-3DES-SHA-TRANS
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime seconds 3600
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime kilobytes 250000
! Note: No PFS is supported
! Note: NAT-T is enabled by default.

I could have ammended the standard dynamic crypto map to include these values but decides to keep it seperate.
Next challenge is authentication.   The ASA supports Certificate based, but Windows Phone only supports Pre Shared Key along with username and password.  This can be passed to whatever AAA solution you may have defined within the ASA (such as Active Directory/RADIUS/even SecurID) or could be a local username and password.   Also the L2TP/IPsec profile does not support the concept of a ‘group’ (which can be used to map to an ASA connection profile) thus the DefaultRAGroup has to be used.  Heres hoping haven’t used this group for any of your client access 🙂   If you have then you need to be very careful to break any existing access.
First you need to create a new group policy to attatch to the group

group-policy GP-WinPhone internal
group-policy GP-WinPhone attributes
 wins-server none
 dns-server value 10.x.x.x 192.168.x.x
 vpn-tunnel-protocol l2tp-ipsec
 pfs enable
 default-domain value yourdomain.local

This sets the protocol, client domain servers and name.  Next update the tunnel group

tunnel-group DefaultRAGroup general-attributes
 address-pool OneOfYourPools
 default-group-policy GP-WinPhone
 authentication-server-group LOCAL
 ! Set a different group here depending on local security policy
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key xxxxxxxxxx
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication ppp
 no auuthentication ms-chap-v1
 authentication ms-chap-v2

This should be enough apart from adding a new local user for authentication.  In the above I used the local user database.

username myWinPhoUser password xxxxxxxxx nt-encrypted
username myWinPhoUser attributes
 service-type remote-access

That should get you a working connection ASA side.
From the Windows Phone side configure from Settings > VPN > Add:
wp_ss_20150223_0002  wp_ss_20150223_0001 wp_ss_20150223_0003 wp_ss_20150223_0004
You can decide to set a Proxy as need be.  As discussed before, there is no way to use L2TP/IPsec without a username and password being set.  So you may as well use them either using a local user as additional Pre Shared Key or Active Directory Username and Password as additional authentication.
Good luck !

CISSP

Finally had notification that I now am offically CISSP certified !

I’m not a certification chaser but decided late last year I wanted to do something different to pure technical qualifiactions.  It was a very long (6 hour/250 questions – some interative) exam and certification process but now all done.  Very happy.
Next is keeping up with various things to gain CPE’s
I think Certified Ethical Hacker (CEH) next……

Private Network Address ranges

Most people will be familiilar with the RFC 1918 standard for private network addressing.
Reading through a lot of the RFC’s, they have now been superceeded with later versions.  The most current appears to be RFC6890 although badly formatted into tables.   The prior version RFC5735 has a section 4 which is much more usable.

Address Block       Present Use                Reference
 ------------------------------------------------------------------
 0.0.0.0/8           "This" Network              RFC 1122, Section 3.2.1.3
 10.0.0.0/8          Private-Use Networks       RFC 1918
 127.0.0.0/8         Loopback                    RFC 1122, Section 3.2.1.3
 169.254.0.0/16      Link Local                  RFC 3927
 172.16.0.0/12       Private-Use Networks        RFC 1918
 192.0.0.0/24        IETF Protocol Assignments   RFC 5736
 192.0.2.0/24        TEST-NET-1                  RFC 5737
 192.88.99.0/24      6to4 Relay Anycast          RFC 3068
 192.168.0.0/16      Private-Use Networks        RFC 1918
 198.18.0.0/15       Network Interconnect
                     Device Benchmark Testing    RFC 2544
 198.51.100.0/24     TEST-NET-2                  RFC 5737
 203.0.113.0/24      TEST-NET-3                  RFC 5737
 224.0.0.0/4         Multicast                   RFC 3171
 240.0.0.0/4         Reserved for Future Use     RFC 1112, Section 4
 255.255.255.255/32  Limited Broadcast           RFC 919, Section 7
                                                 RFC 922, Section 7

For DEV, LAB and TEST networks this shows two more segments that can be used (198.51.100.0/24 and 203.0.113.0/24) along with one I have used often 192.0.2.0/24.
Its amazing how ofter I have come accross organisations not taking these into account when planning schemes.

Blogging is hard……

Despite what folks might think, if you have a ‘normal’ job and run your own blog its hard thing to reliably do.
I thought the challenge of blogging each day for a month would be easy.  I thought prepare a few up front, write on some days, publish on others would work out but it didnt.  I make eight days then failed.  Real life got in the way and meant it got left.
Bit of a fail there for me……  however in the meantime I successfully passed my CISSP exam which is a big result for me.   Perhaps ill have to blog about that ……. 🙂
I’ll try and post at least once a month from now on !

In Car Entertainment and Car PC’s

I have a fairly old car.  Its a 2005 Land Rover Discovery 3 that I purchased back in 2009.  Its a base model which meant it come without any of the frills and flash in car entertainment that the high spec HSE models come with.
It has its advantages.  It means I can upgrade what I like without meaning causing issues with other features of the car.
In turn I have now replaced the head unit (for a Pioneer DAB, Bluetooth device) and then about three years ago fitted an in car PC.  Ill detail this in another post but effectively its a ruggedised PC, with a 12v vehicle PSU (handles power cycle, starting cycle and power on/off) and allows attachments such as GPS, Bluetooth, Video Capture, Touch Screen, A/D Input/Output module etc and can be used for many things.   Navigation, Media/Video, Camera recording and many other things.  You can run Linux or Windows.  I now have Windows 8.1 and run a custom front end called Centrafuse which controls everything and acts as the skin to control everything.

WP_20140716_22_05_43_Raw

D4 wheel with Centrafuse display


WP_20140812_22_13_20_Raw

The PC


The PC innards

The PC innards


I guess they are not as popular now cheap tablets can be had for as little as £100 with GPS, SD cards and Bluetooth to be had.
Its been a bit of a labour of love and very testing at times.  I have been meaning to document it for ages and this post has made me remember this. So I shall begin….

IT Contract Recruitment in the UK

I have now been working in IT since 1989 and been an IT contractor since 2000.  I am still amazed how much the market hasn’t changed and how contractors get treated by IT agencies.
In the UK they are a necessary evil.  Large companies wont hire direct and can’t be doing with the hassle of searching, filtering as well as paying non employee staff so I can understand that part.  The agencies handle this (and to be fair other things) and yet most seem to lose all sense of manners sometimes.  My best experiences have been working direct but that requires a special relationship with the company for it to work.
Back in the day my contacting peers used to use the same agent who would look after them and get them work.  They used to wine and dine them and treat them as valued assets.  That seems to have changed since then and not got any better.

  • You fire off a CV, there is sometimes not even acknowledgement of receipt.  How hard is this be in 2014 ?
  • They call you – you have a long chat, say that “will submit CV” and then you never get any form of communication post that.  Again its not hard is it ?
  • They advertise jobs when blatantly there is no job.  They are just fishing for CV’s to then send companies
  • Ask you call premium rate numbers to speak to them
  • Hide behind filtered email addresses

Don’t get me wrong – I’m not bitter about the process.   I realise there is a lot of poor CV’s and yet worse staff in the market.  I pride my CV on being accurate and true. I also have worked for some very, very good agencies (my current is brilliant) and some really bad (one didn’t pay me until the end of the third month)
I have done well over the years and am sure they have too (don’t start me on margins!) but a bit of common courtesy wouldn’t go a miss.  It takes 1/2 minute to type an email or leave a message.  Otherwise they live up to there reputation as ‘pimps’ and in the same pigeon hole as ‘estate agents’ for most people.
 

Virtual Machines and Home Lab’s. Why do the vendors make it so hard ?

I am a big fan of running everything virtually.  There used to be day when I had a ton of kit but now all I have is a small HP Microserver, an i7 Lenovo desktop PC, Lenovo T440S i7 Laptop and an i3 Surface Pro 3. I use VMware Workstation 10 as much as I can.   I used to use Virtual Box back in the day but found it just too troublesome with converting VM’s from manufacturers.
Most of the time it is very easy to download a virtual machine from a manufacturer and it will just run.  Juniper, Microsoft and some others are good.  Some will be in VMware appliance formats.  Others use the open OVA format.  Others such as Cisco, F5 and Fortinet will only support OVA’s that you can only import into ESX.  Workstations fails with various errors even though  – in theory – OVA is an open, portable format  …….
My fix is do this:

1) Download VMware ESX evaluation

2) Install as a VM within VMware Workstation

3) Navigate to the ESX Managment address via a browser.   Either use the Web GUI or vCentre GUI

4) Import the OVA into ESX

5) Once imported.   Navigate to the Data Store Browser.

6) Copy out the whole folder for the imported VM

7) Open the VMX in VMware Workstation.

8) Edit the NIC’s etc as nessiary

9) Start the VM

That seems to always work for me !
 

New Standards – HTTP2

A great article I came accross explaining how HTTP2 works is availible at http://daniel.haxx.se/http2/http2-v1.6.pdf
It has some intresting challenges for adoption and implications for Network Security and vendors of the associated devices used to secure them.  One of the main challenges being that the format moves from an easy to read text form, to a binary blob.  This means Deep Packet Inspection (DPI) of these frames becomes a lot more intensive.
It will also be interesting how this gets adopted for the ‘average’ site.   I can see the Goog, Facebook and Microsoft adopting it but how long did it take for HTTP 1.1 to become adopted ?
One to monitor……
 

« Older posts Newer posts »

© 2024 Kevsters Blog

Theme by Anders NorénUp ↑