Category Archives: Routing

Cisco AnyConnect VPN with Cisco 3845

After the implementation of the AnyConnect Client to our ASA5500 is at a good state i want to have some backup until our productional hardware will delivered. 😉

So i decided to use one of our Cisco 3845 Routers to do the job.

show version

[sourcecode gutter=”false” autolinks=”false” collapse=”true”]
C3845#show version
Load for five secs: 1%/0%; one minute: 3%; five minutes: 3%
Time source is NTP, 07:48:17.248 CET Sat Sep 11 2010
Cisco IOS Software, 3800 Software (C3845-ADVSECURITYK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 16:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

C3845 uptime is 34 weeks, 4 days, 14 hours, 47 minutes
System returned to ROM by reload at 15:53:45 CET Mon Jan 11 2010
System restarted at 15:55:20 CET Mon Jan 11 2010
System image file is "flash:c3845-advsecurityk9-mz.150-1.M1.bin"
[/sourcecode]

First i installed the AnyConnect Package on the Router.

[sourcecode gutter=”false” autolinks=”false”]
C3845(config)#webvpn install svc flash:/anyconnect-win-2.5.1025-k9.pkg sequence 1
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully
[/sourcecode]

[sourcecode gutter=”false” autolinks=”false”]
ip local pool CSM_POOL_1 10.2.16.20 10.2.16.30
ip local pool vpnpool 10.2.16.31 10.2.16.41
ip local pool SSLVPNClient 10.2.16.50 10.2.16.60
!
webvpn gateway SSLVPN
ip address 192.168.10.66 port 443
ssl trustpoint TP-self-signed-2234495401
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
!
webvpn context SSLVPN
ssl authenticate verify all
!
!
policy group SSLVPN
functions svc-required
svc address-pool "CSM_POOL_1"
svc keep-client-installed
svc dns-server primary 10.0.243.143
svc dns-server secondary 10.0.243.144
default-group-policy SSLVPN
gateway SSLVPN
inservice
!
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,

Cisco ASA AnyConnect VPN

Some Notes what todo

http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx

radius authentication für die ASA

ASA 8.X: AnyConnect Start Before Logon Feature Configuration

Configuration Examples and TechNotes

ToDo:

av-pairs ????

certificate selection process

certifate import on cli / asdm  /ios

set the certificate on the interface : ssl trust-point MyTrustPoint Outside

Docu: Backup Gateway

Piuctures: ASDM, CCP

Write complete setup down ….

Reference the Docu. :-)

http://www.cisco.com/en/US/docs/security/asa/asa83/getting_started/5500/guide/getstart.html

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/svc.html#wp1090595

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.html

http://www.cisco.com/en/US/products/ps8411/prod_maintenance_guides_list.html

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wp1056494

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/administration/guide/22admin4.html#wp1008975

Flickr : , , , , ,

How to authentication AnyConnect VPN against RADIUS

AnyConnect and Cisco ACS Radius is a bit more complected because the ASA5500 documentation states that you can not use the Same Radius for
Authentication and Authorization. So things getting more complex by it self 😉 But if i see things in the right light we don’t need authorization at all so we will on monday how things will develope.

How to authentication AnyConnect VPN against RADIUS

The Authentication against RADIUS is quiet easy to configure.

Just add the RADIUS Servers as described here.
Than add following to the configuration:

[sourcecode gutter=”false” autolinks=”false”]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-RADIUS
[/sourcecode]
By debuging the radius authentication is see our freeradius deliver the av-pairs with the authentication request so lets see if the ASA accepts them.
If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , , , ,

How to use Radius/Tacacs+ and Certificate based Authentication for AnyConnect VPN

First you have to add a valid Certificate to the ASA, then change following in the configuration.

[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
!
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
[/sourcecode]
Then you can connect to the asa only with username and a user certificate.

Flickr : , , , , ,

How to authenticate AnyConnect VPN against Tacacs+

How to authentication AnyConnect VPN against Tacacs+

The Authentication against Tacacs+ is quiet easy to configure.

Just add the Tacacs+ Servers as described here.
Than add following to the configuration:

[sourcecode]
tunnel-group SSLClientProfile general-attributes
authentication-server-group AAA-TACACS+
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

How to configure Cisco ASA 5500 for AnyConnect Client

So i was testing some stuff with the Authentication on the ASA Firewall and the AnyConnect client in the last days. So i feel it is time to write things down a little bit.

First i discovered we have the same problem with Windows 7 Firewall. Windows is not detecting the Interface so the Firewall do not say here we are part of the domain:-( Sad very Sad. But as i described here, there is a workaround but this is not supported by Cisco in any way.
But anyhow, we have to move to the AnyConnect Client to get VPN running with WWAN Cards.

So lets begin with a basic setup, only localusers and connect to the ASA with the AnyConnect Client.
No complex things, just connectivity. So we will start here with the configuration.
In the next posts we will go to the more complex things.

Continue reading How to configure Cisco ASA 5500 for AnyConnect Client

DownStream Power Back Off (DPBO) and our Cisco gear

I love my Job 😉

We discovered a new Feature on the DSL Lines. It is called DownStream Power Back Off, this feature was introduced in November 2007 and is currently only supported on German Telekom lines. Where as the ADSL2+ specifcation is from 2004. The Ciscos have implementet the specifcation from 2004 and today no router supports the 2007 specs. So if you are useing Cisco Hardware have a look here to see if your router supporting it.

If you feel this helps a bit or may be not ? Please leave a comment.

Flickr : , , ,

DMVPN with Linux

I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.

This week i discovered “opennhrp” on sourceforge.

It took me a minute or two to have a VM with debian up and the needed tools installed.

I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.

Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.

I went to make opennhrp, well all done with out a problem to here.

Next i configured racoon and ipsec-tools and opennhrp like this:

   /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   spdflush;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;

   /etc/racoon/racoon.conf 
   path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 5;
      }
   }
   sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;
   }

   /etc/racoon/psk.txt
   10.2.0.90 1234

   /etc/opennhrp/opennhrp.conf
   interface gre1
      map 172.255.255.1/24 10.2.0.90 register cisco
      cisco-authentication 1234
      shortcut

No get the Tunnel UP:

   ip tunnel add gre1 mode gre key 1234 ttl 64
   ip addr add 172.255.255.2/24 dev gre1
   ip tunnel change gre1 local 10.0.81.115
   ip link set gre1 up

Now its time to get on the other side.

We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.

   crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 5
   !
   crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
      mode transport
   !
   crypto ipsec profile Profile3
      set transform-set TRANSFORMSET_3
   !
   interface Tunnel888
      ip address 172.255.255.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      ip flow ingress
      ip nhrp authentication 1234
      ip nhrp map multicast dynamic
      ip nhrp network-id 10064
      ip nhrp holdtime 360
      ip nhrp max-send 200 every 10
      ip route-cache same-interface
      ip tcp adjust-mss 1350
      load-interval 30
      tunnel source 10.2.0.90
      tunnel mode gre multipoint
      tunnel key 1234
      tunnel protection ipsec profile Profile3

and viola

   Router# sh dmvpn interface tunnel 888
   Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
   Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
   Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
   N - NATed, L - Local, X - No Socket
   # Ent --> Number of NHRP entries with same NBMA peer
   Tunnel888, Type:Hub, NHRP Peers:1,
   # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
   ----- --------------- --------------- ----- -------- -----
   1 10.0.81.115 172.255.255.2 UP never D
   Router# ping 172.255.255.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.

— edit February 15, 2009 at 12:09 am —

I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.

Cisco WAAS mit IOS Router

Die Configuration auf einem IOS Router ist analog zu der Configuration auf den Switchen, deshalb werd ich die hier nicht wiederholen.

Die Configuration auf der WAAS wird nicht fest configuriert sondern über wccp ausgehandelt.

[sourcecode]
wccp router-list 1 10.2.0.145
wccp tcp-promiscuous router-list-num 1
wccp version 2
egress-method negotiated-return intercept-method wccp

[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.