My little part of the Internet

Category: Networking (Page 1 of 2)

Driving Cisco ACI using PowerShell

One thing I have been working on for a long time is to create a set of PowerShell modules for Cisco ACI.

For those that don’t know ACI is Cisco’s Next Generation DataCentre switching fabric. Kind of the next step after Nexus in NX-OS mode. It uses modern tecnniques such as hardware controllers (APIC’s – C220 servers) along with Nexus 9500 and Nexus 93xxx switches to form a leaf-spine deployment.

Whilst ACI has a GUI, MO and NX-OS like CLI (not perfect at all !) along with Python and even Ansible, these quickly run out of steam. Whilst Python is a great language it still takes some learning. Its also not so intuative when passing results between methods.

I realised there is nothing for ACI to utilise PowerShell in a similar way that VMware’s NSX has the most excellent PowerNSX

Hence, my first cut of ACI-PoSH published to GitHub. There is a ton of work to do on this – documentation being a biggie – but it works.

Development Process

I am quite lucky to have been involved in some large scale ACI deploments however when offline from these I have two enviroments that I use.

  • The Cisco DevNet ACI Sandbox availible at https://developer.cisco.com/site/sandbox/ This is a site that contains working examples of most Cisco products, one being the ACI Simulator (Always on) which in an Internet connected APIC. No charge but you do need to register or login. Just the job for testing, learning and development.
  • The Cisco ACI Simulator (see here) You need a valid CCO account and ACI software support to download. It will run in most Hypervisors (I use VMware Workstation and ESXi) but need at least 80GB HDD, 8 cores and 16GB RAM availble. You will also need your friendly Cisco Account Manager to authorise the activation code

Ill be adding more info here in later posts about just how to use it.

Windows Phone 8.1 to Cisco ASA VPN – Part 2

AnyConnect-logo  Cisco have now released a BETA AnyConnect client for Windows Phone 8.1 availible here  at the Windows Phone store
I havn’t tested the latest builds but the initial version had a few showstoppers that look like to have been fixed.  Remember this uses SSL/TLS encryption only and your local security policy may mandate the use of IPsec, along with all its issues !
Also they dont appear to have fixed the session timeout bug so that may cause a few headaches with disconnects.

Windows Phone 8.1 to Cisco ASA VPN

[There is next to no information availible on this around so this was borne out of experimentation and a lot of packet capture analytics]
Update:  Since testing this I have since found that L2TP/IPsec does not work if the ASA is behind a NAT device.  This is because the WP81 device explicitly will not connect to a NAT-T device.  There is a registry key on Windows to enable this, however nothing on WP8.  
Windows Phone 8.1 introduced a Native VPN client to the operating system.  It allows L2TP/IPsec and IPSEC IKEv2 nativly, and various SSL VPN providers via plug ins downloaded from the Windows Store.  At the moment Juniper, Checkpoint and F5 have all made clients.  Sadly Cisco has not yet, although is due to release one by mid 2015.
This leaves organisations with a quandry not being able to support Windows Phone.   This is a shame as the platform appears to try to support strong authentication and encryption schemes where possible.
You would like to think that Windows Phone supporting IKEv2 and Cisco AnyConnect 3.x/4.x’s IPSEC implmentation using only IKEv2 that it would interoperate.  Sadly it does not.  The ASA – for some reason – always believes the Windows Phone to be a L2L (LAN to LAN/Site to Site) VPN.  Repeated attempts could not get this to work.
Since writing the above and reading the Cisco documentation more, you need ASA to be at 9.3(2) or above to support 3rd Party IPSec clients.
IKEv2 Proposals send from Windows Phone (just for information) are:

3DES SHA1 DH Gp 2
AES-CBC 128 SHA1 DH Gp 2
3DES SHA256 DH Gp 2
AES-CBC 128 SHA256 DH Gp 2
AES-CBC 128 SHA384 DH Gp 2

I’m still battling the ASA/WP81 connection using IKEv2 and certificates.   The configuration appears to be a little problematic and current working solutions rely on the use of EAP for the client authentication.   However, if you want to do plain, boring, RSA certificate authentication at both ends it does not work due to the ASA wanting to use RSA and the WP81 devices trying to ECDHA which the ASA dosent offer  ….. [currently talking to TAC]
This only leaves L2TP/IPsec as an option, which the ASA does support.  Effectivly this uses an IKEv1 IPSEC channel to tunnel L2TP over.  L2TP is not a very secure protocol but is very good for tunneling, but over IPSEC it should be fine for most environments.  As mentioned IKEv1 is used and the following modes are proposed from Windows Phone:

AES-CBC 256 28800  seconds SHA1 DH Gp 20
AES-CBC 128 28800 seconds SHA1 DH Gp 19
AES-CBC 256 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 14
3DES 28800 seconds SHA1 DH Gp 2

Testing with ASA code 9.2-ish (seems ok on 8.6-ish too), only the last mode (3DES, SHA1, DH Gp2) appears to work.   Not 100% sure of the reason, but I suspect Cisco only support DH Group 20, 19 and 14 when using IKEv2.  Thus on ASA side you need to add:

crypto ikev1 policy 5 (or whatever you have free)
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 28800

You then need to look at the IPSEC SA.  The ‘best’ I found to work was using AES128 with SHA1 hash.   The Windows client differs to a standard client in that it uses TRANSPORT mode, as apposed to TUNNEL mode.  Windows also has some values for SA lifetimes that need to be used.  Thus ASA config needs the following:

! Note:  My ASA external interface is called 'outside', YMMV
crypto dynamic-map outside_dyn_map 60000 set ikev1 transform-set ESP-AES-128-SHA-TRANS ESP-3DES-SHA-TRANS
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime seconds 3600
crypto dynamic-map outside_dyn_map 60000 set security-association lifeftime kilobytes 250000
! Note: No PFS is supported
! Note: NAT-T is enabled by default.

I could have ammended the standard dynamic crypto map to include these values but decides to keep it seperate.
Next challenge is authentication.   The ASA supports Certificate based, but Windows Phone only supports Pre Shared Key along with username and password.  This can be passed to whatever AAA solution you may have defined within the ASA (such as Active Directory/RADIUS/even SecurID) or could be a local username and password.   Also the L2TP/IPsec profile does not support the concept of a ‘group’ (which can be used to map to an ASA connection profile) thus the DefaultRAGroup has to be used.  Heres hoping haven’t used this group for any of your client access 🙂   If you have then you need to be very careful to break any existing access.
First you need to create a new group policy to attatch to the group

group-policy GP-WinPhone internal
group-policy GP-WinPhone attributes
 wins-server none
 dns-server value 10.x.x.x 192.168.x.x
 vpn-tunnel-protocol l2tp-ipsec
 pfs enable
 default-domain value yourdomain.local

This sets the protocol, client domain servers and name.  Next update the tunnel group

tunnel-group DefaultRAGroup general-attributes
 address-pool OneOfYourPools
 default-group-policy GP-WinPhone
 authentication-server-group LOCAL
 ! Set a different group here depending on local security policy
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key xxxxxxxxxx
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 no authentication ppp
 no auuthentication ms-chap-v1
 authentication ms-chap-v2

This should be enough apart from adding a new local user for authentication.  In the above I used the local user database.

username myWinPhoUser password xxxxxxxxx nt-encrypted
username myWinPhoUser attributes
 service-type remote-access

That should get you a working connection ASA side.
From the Windows Phone side configure from Settings > VPN > Add:
wp_ss_20150223_0002  wp_ss_20150223_0001 wp_ss_20150223_0003 wp_ss_20150223_0004
You can decide to set a Proxy as need be.  As discussed before, there is no way to use L2TP/IPsec without a username and password being set.  So you may as well use them either using a local user as additional Pre Shared Key or Active Directory Username and Password as additional authentication.
Good luck !

Private Network Address ranges

Most people will be familiilar with the RFC 1918 standard for private network addressing.
Reading through a lot of the RFC’s, they have now been superceeded with later versions.  The most current appears to be RFC6890 although badly formatted into tables.   The prior version RFC5735 has a section 4 which is much more usable.

Address Block       Present Use                Reference
 ------------------------------------------------------------------
 0.0.0.0/8           "This" Network              RFC 1122, Section 3.2.1.3
 10.0.0.0/8          Private-Use Networks       RFC 1918
 127.0.0.0/8         Loopback                    RFC 1122, Section 3.2.1.3
 169.254.0.0/16      Link Local                  RFC 3927
 172.16.0.0/12       Private-Use Networks        RFC 1918
 192.0.0.0/24        IETF Protocol Assignments   RFC 5736
 192.0.2.0/24        TEST-NET-1                  RFC 5737
 192.88.99.0/24      6to4 Relay Anycast          RFC 3068
 192.168.0.0/16      Private-Use Networks        RFC 1918
 198.18.0.0/15       Network Interconnect
                     Device Benchmark Testing    RFC 2544
 198.51.100.0/24     TEST-NET-2                  RFC 5737
 203.0.113.0/24      TEST-NET-3                  RFC 5737
 224.0.0.0/4         Multicast                   RFC 3171
 240.0.0.0/4         Reserved for Future Use     RFC 1112, Section 4
 255.255.255.255/32  Limited Broadcast           RFC 919, Section 7
                                                 RFC 922, Section 7

For DEV, LAB and TEST networks this shows two more segments that can be used (198.51.100.0/24 and 203.0.113.0/24) along with one I have used often 192.0.2.0/24.
Its amazing how ofter I have come accross organisations not taking these into account when planning schemes.

Virtual Machines and Home Lab’s. Why do the vendors make it so hard ?

I am a big fan of running everything virtually.  There used to be day when I had a ton of kit but now all I have is a small HP Microserver, an i7 Lenovo desktop PC, Lenovo T440S i7 Laptop and an i3 Surface Pro 3. I use VMware Workstation 10 as much as I can.   I used to use Virtual Box back in the day but found it just too troublesome with converting VM’s from manufacturers.
Most of the time it is very easy to download a virtual machine from a manufacturer and it will just run.  Juniper, Microsoft and some others are good.  Some will be in VMware appliance formats.  Others use the open OVA format.  Others such as Cisco, F5 and Fortinet will only support OVA’s that you can only import into ESX.  Workstations fails with various errors even though  – in theory – OVA is an open, portable format  …….
My fix is do this:

1) Download VMware ESX evaluation

2) Install as a VM within VMware Workstation

3) Navigate to the ESX Managment address via a browser.   Either use the Web GUI or vCentre GUI

4) Import the OVA into ESX

5) Once imported.   Navigate to the Data Store Browser.

6) Copy out the whole folder for the imported VM

7) Open the VMX in VMware Workstation.

8) Edit the NIC’s etc as nessiary

9) Start the VM

That seems to always work for me !
 

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 4 – More ASA Side

Some parts I forgot from the last few posts.
The ASA also uses Group Policy (not AD group policy!) configuration.  In here you set useful things such as DNS, domain and other properties.  Its also the area to configure specifics for the IPSEC Phase 2 connection.   I normally use a GP per connection as its allows some flexibility when making changes later on.  You can also set some values within the default group policy that will be standard over the whole of your ASA, which depending on if inherit is turned on or not get set.
For Apple iOS devices IP Compression and PFS have to be turned on.  On Android, these are not.  You get a strange symptom (if set) where the Android handset claims its connected (and the ASA even issues an IP address) but the device never shows connected in ASDM.  It was only with use of various debugs that I managed to find this out.
Group policies therefore are:

!Apple iOS
group-policy GP_iOS internal
group-policy GP_iOS attributes
 dns-server value 10.100.200.10 10.100.202.10
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 ip-comp enable
 pfs enable
 default-domain value mydomain.local
!Android
 group-policy GP_ANDR internal
 group-policy GP_ANDR attributes
  dns-server value 10.100.202.10 10.100.200.10
  vpn-session-timeout none
  vpn-tunnel-protocol ikev1
  default-domain value mydomain.local

That should complete all of the configuration requried to allow iOS and Android devices to connect to a Cisco ASA using the inbuilt native IPSEC client using x509 certificates.   You really arn’t using Pre Shared Keys in this day and age are you ?

Putty – Session Logs

A useful feature when you are working on multiple devices is to keep as session log for every session.  You can then easilly see what you have typed or provide evidence.
To configure this for every session:
1) Open Putty
2) Select the Default Settings and press Load

3) Navigate to Session > Logging
4) Set the Log file name in a format that makes sence to you.  You can see mine

5) Navigate back to the sessions, making sure Default Settings is still highlighted and then press Save
Test !

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication – Part 2

So the previous thread we were discussing Apple iOS.  Now you may have had the same issues with Andoid with it becomming more popular.
First issue when configuring the ASA is the IKEv1 key exchange that goes on.  When a device attempts to connect, the client is asked to provide all of the key schemes that it supports.  Android 4.1+ and IOS 7 give out (in order)
Android

AES-CBC 256 Seconds 28800 SHA1 DH Gp 2
AES-CBC 256 Seconds 28800 MD5 DH Gp 2
AES-CBC 128 Seconds 28800 SHA1 DH Gp 2
AES-CBC 128 Seconds 28800 MD5 DH Gp 2
3DES-CBC Seconds 28800 SHA1 DH Gp 2
3DES-CBC Seconds 28800 MD5 DH Gp 2
DES-CBC Seconds 28800 SHA1 DH Gp 2
DES-CBC Seconds 28800 MD5 DH Gp 2

iOS 7

AES-CBC 256 Seconds 3600 SHA1 DH Gp 5
AES-CBC 256 Seconds 3600 SHA1 DH Gp 2
AES-CBC 128 Seconds 3600 SHA1 DH Gp 2
AES-CBC 256 Seconds 3600 MD5 DH Gp 5
AES-CBC 256 Seconds 3600 MD5 DH Gp 2
AES-CBC 128 Seconds 3600 MD5 DH Gp 2
3DES-CBC Seconds 3600 SHA1 DH Gp 2
3DES-CBC Seconds 3600 MD5 DH Gp 2
DES-CBC Seconds 3600 SHA1 DH Gp 2
DES-CBC Seconds 3600 MD5 DH Gp 2

Now we have these values we can look at configuring the ASA to support native IOS and Andoid clients using x509 Certificate authentication.   Its pretty obvious that the top one is the most secure, trailing off to blatantly insecure…….
Time for post 3……..

VMware Workstation 8 – WAN simulation (Awesome feature alert)

Just found an awsome feature…… a bandwidth and interface error generator for each virtual NIC.  Great if you are doing Proof of Concept testing for high latency or even 3G simulated links.
To configure, locate the virtual NIC properties and press ‘Advanced’
VMw-Net1
Then you will be shown this screen.  You can select preset bandwidth in both directions and packet loss
VMw-Net2
Its truly an awsome product that amazes me each time I try to do somthing

Native Apple iOS Client to Cisco ASA VPN using Certificate Authentication – Part 1

I have been working on this for a while now.  Because of a variety of reasons that I can’t go into here some of my configuration was mandatory.
The Apple iOS (used on iPhone, iPad and iPod Touch) has an in-built VPN client that Cisco assisted with development.  It supports PPTP, L2TP and IPSEC.  Unless you are crazy you would only seriously use IPSEC.  However, it only supports IPSEC using IKEv1 key negotiation.  Unless you have a specific reason really only IKEv2 should be used a it has a number of performance and security benefits.  So that causes a problem with iOS devices.
Using a IKEv1 in conjunction with a group/pre-shared key is well documented and simple to get working.  If you are using Certificates then it gets a whole lot interesting.
One fix is to use the AnyConnect client from the App Store.  This is free to download and can be deployed using the Apple Configurator utility from a Mac OSX device.  This allows SSL VPN as well as IPSEC IKEv2 connections (in version 3.0 of the AnyConnect iOS/Andriod client) and has enterprise grade tools such as logging, diagnotics and a tool similar to the DART utility that the desktop AnyConnect has.
The difficulty with this is that even though you have purchased SSL VPN user licences (AnyConnect Essentials or Premium) Cisco still want some more money in the guise of ‘AnyConnect Mobile’ licence.  These retail at around £500 but still another outlay you did not bargin for.  Also your security policy may mandate the use of the built in client so its time to roll up your sleeves.

So what’s it doing ?

As with most things, being able to see what the iOS device is actually doing would be a good start.  In Apples infinite wisdom any user messages are usually “cannot connect”, “unable to verify server” and not a lot else.
Armed with a Mac you do have a number of tools at your disposal.  Of course if you are reading this it stands a good chance you are doing this is a company and you will need a Mac to deploy Enterprise profiles to iOS devices as lets face it you really, really should lock those babies down.
1) Remember the Mac OSX VPN client is very similar to the iOS VPN client so if its possible to replicate the configuration on the Mac, you may see something more useful to start with.  In my experience you don’t but its worth mentioning.
2) Using Xcode its possible to see the iOS devices system log in realtime (equivalent of the /var/log/messages file)  From this you can see more useful messages from the client.  To do this:

  • Install either Xcode or the Apple Enterprise Configurator from http://www.apple.com/support/iphone/enterprise/  I used Xcode
  • Open Xcode, then select Window > Organiser
  • Connect to iOS device to your Mac using a USB cable
  • You should then be able to select the device then Console Log

3) For a low level view of what’s going on you can use the Mac to create a virtual interface to tunnel the iOS devices network traffic over.  From then you can use TcpDump to take packet captures.
You again need a Mac, USB cable and a utility from the App Store that you an pull the iOS’s UUID device down.  This is important.  I used UDID+ but there are others.   Quite how this will work when Apple remove it from iOS 6 is not well known…… anyhooo…..  Once you have the UDID run the following on the Mac

 $ # First get the current list of interfaces.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0
 $ # Then run the tool with the UDID of the device.
 $ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed
Starting device 74bd53c647548234ddcef0ee3abee616005051ed     [SUCCEEDED]
$ # Get the list of interfaces again, and you can see the new virtual
 $ # network interface, rvi0, added by the previous command.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

Then

$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.rpmuxd.plist

Now that you know the name of the RVI, you can point your packet trace tool at it. For example, he’s how you might run tcpdump to take a packet trace from the RVI.

$ sudo tcpdump -i rvi0 -n
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
 (BIOCPROMISC: Operation not supported on socket)
 tcpdump: WARNING: rvi0: no IPv4 address assigned
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes


When you’re done you can remove the RVI with the following command.

$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed
Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]

That should get you into a position you can debug the client traffic.  Simply open the captured traffic up in WireShark and you may have a clue…….
In part 2, Ill discuss ASA configuration and what works, what does not and what is an Cisco ASA bug !

« Older posts

© 2024 Kevsters Blog

Theme by Anders NorénUp ↑