Thursday, May 9, 2013

ssl

There are three options to remote access on a Cisco router:

1. PPTP/L2TP + windows build in software - simple to configure, CAN use Internet while suing VPN router

2. IPSec (EZVPN) + Cisco VPN Client software - reletively simple to setup, VPN traffic via VPN router, Internet traffic via local router (by enable Split Tunnelling)

3. Web SSL VPN + NO software needed - complicated to setup, flexible, can send ALL traffic to VPN router (or offload Internet traffic via local router), can bypass firewall as it is utelising HTTPS, this is the furture.


Web SSL VPN delivers the following three modes of SSL VPN access:
Clientless - Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser such as Internet access, web-based intranet, webmail etc.
Thin Client (port-forwarding Java applet) - Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet and Secure Shell (SSH).
Tunnel Mode (AnyConnect Secure Mobility Client) - Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
The advantage of SSL VPN comes from its accessibility from almost any Internet-connected system without needing to install additional desktop software.


Port reference
GRE: IP protocol number 47.
PPTP: TCP port 1723
L2TP: UDP port 1701

IPSec:
  • IP Protocol ID 50:
    For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
  • IP Protocol ID 51:
    For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
  • UDP Port 500:
    For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
Web SSL VPN: TCP port 443

http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://support.microsoft.com/kb/233256
http://technet.microsoft.com/library/cc768084.aspx
http://www.cisco.com/en/US/products/ps6659/prod_configuration_examples_list.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.pdf
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html


Friday, March 1, 2013

ISAKMP Profile

ISAKMP Profile Overview
The ISAKMP profile is an enhancement to Internet Security Association and Key Management Protocol (ISAKMP) configurations. It enables modularity of ISAKMP configuration for phase 1 negotiations. This modularity allows mapping different ISAKMP parameters to different IP Security (IPSec) tunnels, and mapping different IPSec tunnels to different VPN forwarding and routing (VRF) instances. ISAKMP profile enhancement was released as part of the VRF-aware IPSec feature in Cisco IOS® Software Release 12.2(15)T. Today, many applications and enhancements use the ISAKMP profile, including quality of service (QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations. This document provides an overview of the ISAKMP profile, and a description of the current applications that use the profile.


WHEN TO USE THE ISAKMP PROFILE
• Any router with two or more IPSec connections that requires different phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router).
• It is recommended to use ISAKMP profile with Easy VPN Remote or Easy VPN Server configurations.
• If custom Internet Key Exchange (IKE) Phase 1 policies are needed for different peers. For example, whether XAUTH is to be applied a specific peer, rather than being applied on every connection.
• IPSec configuration using VRF-aware IPSec, which allows the use of single IP address to connect to different peers with different IKE Phase 1 parameters.

VRF-aware IPSec example: 
crypto isakmp profile vpn1
   vrf vpn1
   keyring vpn1
   match identity address 172.16.1.1 255.255.255.255
crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set vpn1
set isakmp-profile vpn1
match address 101
!
interface Ethernet1/2
crypto map crypmap







Thursday, February 21, 2013

Juniper Netscreen: How do I capture debugging (debug flow) information


From the command line interface (CLI):

!Turn on the dbuf buffer
set console dbuf

!Set the parameters for debugging
set ffilter src-ip 192.168.10.50

!Turn on the debug flow
debug flow basic

!Use debug flow drop command to see dropped or denied packets (including those that did not make it to the policy engine).
debug flow drop

!turn debug off
undebug all

!check captured the stream
get dbuf stream

How do I capture debugging (debug flow) information?

How to configure preempt and priority NSRP options. How to force one firewall to be the preferred master.

SUMMARY:
How to force a device in the cluster to be the preferred master?
PROBLEM OR GOAL:
One of the firewalls of the cluster needs to be the preferred master.  How do you configure this?
SOLUTION:
The NSRP parameters preempt and priority are used to control the preferred master.  

Step 1.  On the preferred master, enable 'preempt' mode and assign a lower priority to the firewall in the cluster.
Configuration example:
Important:  The device with the lowest priority will be the preferred master.
nsisg1000(M)-> set nsrp vsd-group id 0 priority 50  <- To assign priority to device. By default the priority is 100
nsisg1000(M)-> 
set nsrp vsd-group id 0 preempt      <- To enable preempt mode

To verify configuration:
nsisg1000(M)get nsrp vsd-group 
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0       50 yes            3 no       myself 12090607 
total number of vsd groups: 1
Total iteration=375750,time=399053148,max=6586,min=274,average=1062
 
Step 2.  On the other firewall, the preferred backup, only the priority needs to be specified.  Assign the priority to be a higher value than the priority of the preferred master.
nsisg1000(B)-> set nsrp vsd-group id 0 priority 100  

Note:  A preempt hold-time may also be configured on the preferred master.  Refer to the Concepts & Examples ScreenOSReference Guide: Vol 11, High Availability for more information.