Kevsters Blog

My little part of the Internet

Page 3 of 6

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 3 – ASA Side

So based on the last post, you can now start to configure the ASA to support Apple IOS and Andoid devices.
Firstly we need to add an IKEv1 policy to allow the IKE Phase 1 to establish:

crypro ikev1 policy 10
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypro ikev1 policy 12
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 5
 lifetime 3600

This allow the device to at least connect to the ASA to authenticate.
There is an assumption that your ASA already has installed and trust’s the CA’s that the client device certificates are issued by.  This is out of scope for here however its imperative that this is in place.  Its also crazy if you havent got CRL processing in place but you should know that as well.
From a ASA profile perspective its simple.  As stated before both Andoid and IOS only support IKE v1 so you have to create IKEv1 profiles for these connections.  The strange part of defining an IKEv1 profile is that is has to have a AAA entry set.   In my case I normally define a new AAA group that has no authentication.

aaa-server NO_USER_AUTH protocol http-form

This can then be applied to a new profile.  Its not used for authentication (remember – you are using Cerificates only) thus

tunnel-group IOSandAND type remote-access
tunnel-group IOSandAND general-attributes
 ! Clients will use addressing from the named pool shown
 address-pool IOSandAND-Pool
 ! Dont use any client authentication (other than Certificate)
 authentication-server-group NO_USER_AUTH
 ! Group policy applied for connection
 default-group-policy GP_IOSandAND
tunnel-group IOSandAND ipsec-attributes
 ! Define CA that client connections will be signed by
 ikev1 trust-point MyCA.key
 ! Define no user authentication
 ikev1 user-authentication none

Depending on if you use DAP etc (and you really should) you will have to add basic policy to allow Andoid and IOS devices to connect.  There are no posture checks availible for native clients due to what the clients expose.  If you want to do this then the client will need to use the AnyConnect client (free), will need a AnyConnect Mobility licence for the ASA (circa £500) and you can then use IKEv2 which negates a lot of this configuration.
Anyway hope it helps some of you

Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication – Part 2

So the previous thread we were discussing Apple iOS.  Now you may have had the same issues with Andoid with it becomming more popular.
First issue when configuring the ASA is the IKEv1 key exchange that goes on.  When a device attempts to connect, the client is asked to provide all of the key schemes that it supports.  Android 4.1+ and IOS 7 give out (in order)

AES-CBC 256 Seconds 28800 SHA1 DH Gp 2
AES-CBC 256 Seconds 28800 MD5 DH Gp 2
AES-CBC 128 Seconds 28800 SHA1 DH Gp 2
AES-CBC 128 Seconds 28800 MD5 DH Gp 2
3DES-CBC Seconds 28800 SHA1 DH Gp 2
3DES-CBC Seconds 28800 MD5 DH Gp 2
DES-CBC Seconds 28800 SHA1 DH Gp 2
DES-CBC Seconds 28800 MD5 DH Gp 2

iOS 7

AES-CBC 256 Seconds 3600 SHA1 DH Gp 5
AES-CBC 256 Seconds 3600 SHA1 DH Gp 2
AES-CBC 128 Seconds 3600 SHA1 DH Gp 2
AES-CBC 256 Seconds 3600 MD5 DH Gp 5
AES-CBC 256 Seconds 3600 MD5 DH Gp 2
AES-CBC 128 Seconds 3600 MD5 DH Gp 2
3DES-CBC Seconds 3600 SHA1 DH Gp 2
3DES-CBC Seconds 3600 MD5 DH Gp 2
DES-CBC Seconds 3600 SHA1 DH Gp 2
DES-CBC Seconds 3600 MD5 DH Gp 2

Now we have these values we can look at configuring the ASA to support native IOS and Andoid clients using x509 Certificate authentication.   Its pretty obvious that the top one is the most secure, trailing off to blatantly insecure…….
Time for post 3……..

HMRC Basic PAYE Tools for RTI – Problems submitting RTI

Being part of a small business, we used to use the HMRC provided Basic PAYE Tools (BPT) for Payroll.  With the changes in this tax year a new version has been provided to support the RTI submissions.
The old software front end was built in Flash with a Python/MySQL backend.  Whether or not that was a good idea is debateable but at least it was clear.  The new version appears to be Python with SQLlite utilising a small HTTP server running on the local machine.
The new version now looks more like the web site and (IMHO) is very poorly designed.  Its over complicated and gives very little feedback.
We had problems submitting any return.  A standard ‘page cannot be displayed’ was shown.  Very helpful.
The HMRC helpdesks we either engaged or no help so I did some digging……
I finally stumbled on the solution.  We had imported all of our data from the 2012-2013 BPT system, company details and all.  Looking at an employees records, all looked well.  However, after clicking ‘edit PAYE details’ some fields were shown to be mandatory.  Once these we filled in the preview and submit all worked !!!!
There does not seem to be any real way to submit any feedback to HMRC but I may try an alternate method …… 🙂

VMware Workstation 8 – WAN simulation (Awesome feature alert)

Just found an awsome feature…… a bandwidth and interface error generator for each virtual NIC.  Great if you are doing Proof of Concept testing for high latency or even 3G simulated links.
To configure, locate the virtual NIC properties and press ‘Advanced’
Then you will be shown this screen.  You can select preset bandwidth in both directions and packet loss
Its truly an awsome product that amazes me each time I try to do somthing

Native Apple iOS Client to Cisco ASA VPN using Certificate Authentication – Part 1

I have been working on this for a while now.  Because of a variety of reasons that I can’t go into here some of my configuration was mandatory.
The Apple iOS (used on iPhone, iPad and iPod Touch) has an in-built VPN client that Cisco assisted with development.  It supports PPTP, L2TP and IPSEC.  Unless you are crazy you would only seriously use IPSEC.  However, it only supports IPSEC using IKEv1 key negotiation.  Unless you have a specific reason really only IKEv2 should be used a it has a number of performance and security benefits.  So that causes a problem with iOS devices.
Using a IKEv1 in conjunction with a group/pre-shared key is well documented and simple to get working.  If you are using Certificates then it gets a whole lot interesting.
One fix is to use the AnyConnect client from the App Store.  This is free to download and can be deployed using the Apple Configurator utility from a Mac OSX device.  This allows SSL VPN as well as IPSEC IKEv2 connections (in version 3.0 of the AnyConnect iOS/Andriod client) and has enterprise grade tools such as logging, diagnotics and a tool similar to the DART utility that the desktop AnyConnect has.
The difficulty with this is that even though you have purchased SSL VPN user licences (AnyConnect Essentials or Premium) Cisco still want some more money in the guise of ‘AnyConnect Mobile’ licence.  These retail at around £500 but still another outlay you did not bargin for.  Also your security policy may mandate the use of the built in client so its time to roll up your sleeves.

So what’s it doing ?

As with most things, being able to see what the iOS device is actually doing would be a good start.  In Apples infinite wisdom any user messages are usually “cannot connect”, “unable to verify server” and not a lot else.
Armed with a Mac you do have a number of tools at your disposal.  Of course if you are reading this it stands a good chance you are doing this is a company and you will need a Mac to deploy Enterprise profiles to iOS devices as lets face it you really, really should lock those babies down.
1) Remember the Mac OSX VPN client is very similar to the iOS VPN client so if its possible to replicate the configuration on the Mac, you may see something more useful to start with.  In my experience you don’t but its worth mentioning.
2) Using Xcode its possible to see the iOS devices system log in realtime (equivalent of the /var/log/messages file)  From this you can see more useful messages from the client.  To do this:

  • Install either Xcode or the Apple Enterprise Configurator from  I used Xcode
  • Open Xcode, then select Window > Organiser
  • Connect to iOS device to your Mac using a USB cable
  • You should then be able to select the device then Console Log

3) For a low level view of what’s going on you can use the Mac to create a virtual interface to tunnel the iOS devices network traffic over.  From then you can use TcpDump to take packet captures.
You again need a Mac, USB cable and a utility from the App Store that you an pull the iOS’s UUID device down.  This is important.  I used UDID+ but there are others.   Quite how this will work when Apple remove it from iOS 6 is not well known…… anyhooo…..  Once you have the UDID run the following on the Mac

 $ # First get the current list of interfaces.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0
 $ # Then run the tool with the UDID of the device.
 $ rvictl -s 74bd53c647548234ddcef0ee3abee616005051ed
Starting device 74bd53c647548234ddcef0ee3abee616005051ed     [SUCCEEDED]
$ # Get the list of interfaces again, and you can see the new virtual
 $ # network interface, rvi0, added by the previous command.
 $ ifconfig -l
 lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0


$ sudo launchctl load -w /System/Library/LaunchDaemons/

Now that you know the name of the RVI, you can point your packet trace tool at it. For example, he’s how you might run tcpdump to take a packet trace from the RVI.

$ sudo tcpdump -i rvi0 -n
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
 (BIOCPROMISC: Operation not supported on socket)
 tcpdump: WARNING: rvi0: no IPv4 address assigned
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on rvi0, link-type RAW (Raw IP), capture size 65535 bytes

When you’re done you can remove the RVI with the following command.

$ rvictl -x 74bd53c647548234ddcef0ee3abee616005051ed
Stopping device 74bd53c647548234ddcef0ee3abee616005051ed [SUCCEEDED]

That should get you into a position you can debug the client traffic.  Simply open the captured traffic up in WireShark and you may have a clue…….
In part 2, Ill discuss ASA configuration and what works, what does not and what is an Cisco ASA bug !

My beef with Apple

I have been thinking about just putting some thoughts down for a while. I’d also like to say I don’t have a favourite vendor or affinity with a manufacturer. I work with Microsoft, Google and other companies stuff all the time. The right tool for the job is my ethos.
Recently I have got a real hump with Apple in general. We have had (in total) in our house:

  • iPod classic
  • 2 x iPod touch
  • iPhone 4
  • iPad 2
  • Unibody MacBook
  • So you can’t say I can’t talk about their stuff as they have certainly taken my money.
    My main problem is how quickly they seem to abandon products and stop releasing upgrades/patches. My old first gen iPod Touch is stuck on iOS 3 something which has known security vulnerabilities and at the time they could of fixed. In the end it helped as I could use the PDF flaw to install Cydia but that’s another story. My iPhone 4 and iPad 2 are more than capable of running Siri but no you need to upgrade. ( Turns out its crap anyway but that’s not the point ). iOS 6 maps are a joke and don’t get me started on there ‘Enterprise’ features such as VPN that I’m currently fighting with.
    Their lock in also annoys me. The only method of playing stuff purchased on iTunes’s is to use a MacBook with iTunes and let that download purchased tunes so you can extract MP3’s from its file system. So iCloud won’t let you access anything of use using a browser. Not even my bloody photos taken with iDevices. Even my MacBook running OSX Lion can’t unless I pay £10 for an iPhoto upgrade. And iTunes is still a spreadsheet smothered in excrement.
    Don’t get me wrong. The industrial design is mostly beautiful and has helped inspire/ kick the industry into making decent products. However they also make some stupid decisions like the new lightning connectors on the new kit. 1000’s of aftermarket devices just going to end up in landfill or lots of £20 adapters being sold……
    I’m astounded that normal folks will pay a lot of their hard earned money to buy their devices. Perhaps they don’t care about some of the things I have said but its very difficult to explain to them that no I can’t get your pictures off easily or no you music can’t be played anywhere else
    Me. Well the iPad and macbook are going soon. The iPhone went a while back so I have nearly purged my life of their stuff. Not good riddance but more ‘go away, get your sh1t together and don’t bother me for a while’

    RSA Authentication Manager–Custom Reports

    Working with this product, its evident that the inbuilt reports are not that useful for certain things.   I wanted to find a way of logging users who have used SecurID to authenticate against a number of hosts.

    So time to learn the custom queries section of the product, me thinks.

    The Server is (obviously) SQL based.  The schema is fairly easy to understand, especially if you look at the examples within the help text or provided on the server.

    It is possible to import my SQL scripts by creating a new Custom Query then pasting in the SQL. So…. scripts:

    Todays Unique User Count

    FROM SDLogEntry 
    WHERE dtLocalDate = GMTDateNow   
    AND iMessageNum = 1011   
    AND (CHClientName = "host1" OR CHClientName = "host2")

    Remember to change the host1 and host2 entries to your device host names obviously.  If you have more then add more to the last AND

    Message Number 1011 is a ‘Passcode Successful’ – meaning a successful authentication

    Todays Successful Users

    SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
    FROM SDLogEntry, SDLogMessage 
    WHERE SDLogEntry.dtLocalDate = GMTDateNow   
    AND SDLogEntry.iMessageNum = 1011   
    AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
    AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

    Again 1011 is a successful passcode.

    This uses a select from multiple tables to get the actual description of the message number to make the report more readable.

    Todays Failures

    SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
    FROM SDLogEntry, SDLogMessage 
    WHERE SDLogEntry.dtLocalDate = GMTDateNow   
    AND SDLogEntry.iMessageNum <> 1011   
    AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
    AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

    This uses the same format as success but with a ‘not’ 1011.  The report can be useful to troubleshoot users having problems or who are dim 🙂

    Using Arguments to Select Dates

    All of the above are for a single day, which is which is specified by the ‘GMTDateNow’ value.  This can be changed to use Argument Selectors which you can build in the same screen as the SQL entry.  Thus an example of ‘Successful Users’ would be:

    SELECT SDLogEntry.dtLocalDate, SDLogEntry.TLocalTOD, SDLogEntry.chUserName, SDLogEntry.chLogin, SDLogEntry.chClientName, SDLogMessage.chShortMessage
    FROM SDLogEntry, SDLogMessage 
    WHERE SDLogEntry.dtLocalDate > ARG01 AND SDLogEntry.dtLocalDate < ARG02
    AND SDLogEntry.iMessageNum = 1011   
    AND SDLogMessage.iMessageNum = SDLogEntry.iMessageNum  
    AND (SDLogEntry.CHClientName = "host1" OR SDLogEntry.CHClientName = "host2")

    Where ARG01 = Start Date and ARG02 = End Date

    These can be applied to any of the reports.

    Other Information

    One thing I found is that the custom queries are stored locally on the machine that create the reports so to share them to others you have to use a fileshare, USB disk or similar method.

    Also the HTML format reports aren’t to bad so its worth a look at using this output method.


    Yay. I’m finally free of my iPhone 4 as of a couple of days ago. They may be fairly decent portable computers but IMHO are second rate phones. Also once you are outside of the standard apps most of the others are pretty crummy
    I’m now the proud owner of a Nokia Lumia 900 running Windows Phone 7. If you want to see something really well thought out with beautiful hardware then check one out. The integration the OS has with Twitter and Facebook is really good and sets a standard iOS really needs to catch up to
    Plus im not an iSheep (well apart from the iPad, Mac and old iPod Touch) but im working on that!

    Awesome Multifactor Authentication – and Free !

    If you have any need for strong authentication for *nix systems, WordPress, Juniper/Cisco VPN devices, RADIUS servers then check out
    Its simply awesome and free for up to 10 users !
    I’m using it for a variety of projects……

    Quick Tip: 6500 Chassis Serial Number

    Why oh why Cisco ?

    Most devices the serial number can been seen on a show version or similar prompt.

    c6500’s are different…….   use  show idprom backplane instead

    « Older posts Newer posts »

    © 2018 Kevsters Blog

    Theme by Anders NorenUp ↑