Thursday, March 18, 2010

L2L IPSec Tunnel ASA to IOS

I would like to share with you a case I got that allowed me to explore the ASA, as I am no ASA expert I hope that is not to dumb and will provide some added value but if not then ok I will share it anyway

For the case study here lets say there is no network beside the diagram you will see bellow

IPsec

First I would like to share configuration and some debug commands (and there output).

###ASA

crypto isakmp enable <outside-if-name>
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

access-list IPSec-traffic extended permit ip <SOURCE_NET_SERVER_FARM> <DESTINATION_NET_HOSTS>
crypto ipsec transform-set TS esp-des esp-md5-hmac
crypto map IPSEC 10 match address IPSec-traffic
crypto map IPSEC 10 set peer <C2800-DST-IP>
crypto map IPSEC 10 set transform-set TS
crypto map IPSEC interface <outside-if-name>


tunnel-group <C2800-DST-IP> type ipsec-l2l
tunnel-group <C2800-DST-IP> ipsec-attributes
pre-shared-key <PASSWORD>

###ROUTER

#IKE PHASE 1
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key <PASSWORD> address 0.0.0.0 0.0.0.0

#IKE PHASE 2 IPSEC
crypto ipsec transform-set TS esp-des esp-md5-hmac
crypto dynamic-map DYN 10
set transform-set TS
crypto map IPSEC 10 ipsec-isakmp dynamic DYN


interface <X>
crypto map IPSEC

# ASA SOME SHOW/DEBUG COMMANDS

#

ciscoasa(config)# sh isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: <C2800-DST-IP>
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 57501

ciscoasa(config)# sh ipsec sa detail
interface: outside
    Crypto map tag: IPSEC, seq num: 10, local addr: <ASA-SRC-IP>

      access-list IPSec-traffic permit ip <SOURCE_NET_SERVER_FARM> <DESTINATION_NET_HOSTS>
      local ident (addr/mask/prot/port): (SOURCE_NET/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (DESTINATION_NET/255.255.255.0/0/0)
      current_peer: <C2800-DST-IP>

      #pkts encaps: 71917, #pkts encrypt: 71917, #pkts digest: 71917
      #pkts decaps: 71903, #pkts decrypt: 71903, #pkts verify: 71903
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 71917, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: <ASA-SRC-IP>, remote crypto endpt.: <C2800-DEST-IP>

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E1C2DB71

    inbound esp sas:
      spi: 0xE8F3372E (3908253486)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: IPSEC
         sa timing: remaining key lifetime (kB/sec): (4274983/1861)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE1C2DB71 (3787643761)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: IPSEC
         sa timing: remaining key lifetime (kB/sec): (4274983/1861)
         IV size: 8 bytes
         replay detection support: Y

# ISAKMP DEBUG

ciscoasa# debug crypto isakmp

HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE RECEIVED Message (msgid=c49feb32) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing hash payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing SA payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing nonce payload
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received-SOURCE_NET_SERVER_FARM
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--DESTINATION_NET_HOSTS
%ASA-7-715047: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, processing notify payload
%ASA-7-713906: Responder Lifetime decode follows (outb SPI[4]|attributes):
%ASA-7-713906: 0000: 37D453FB 80010001 00020004 00000E10     7.S.............
%ASA-5-713073: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
%ASA-7-713906: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, loading all IPSEC SAs
%ASA-7-715001: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-7-715001: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x37D453FB) between <ASA-SRC-IP> and <C2800-DEST-IP>(user= <C2800-DEST-IP>) has been created.
%ASA-5-713049: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Security negotiation complete for LAN-to-LAN Group (<C2800-DEST-IP>)  Initiator, Inbound SPI = 0x24d888f2, Outbound SPI = 0x37d453fb
%ASA-7-713906: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, oakley constructing final quick mode
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x24D888F2) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-7-714006: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, IKE Initiator sending 3rd QM pkt: msg id = c49feb32
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=c49feb32) with payloads : HDR + HASH (8) + NONE (0) total length : 72
%ASA-7-715007: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, IKE got a KEY_ADD msg for SA: SPI = 0x37d453fb
%ASA-7-715077: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Pitcher: received KEY_UPDATE, spi 0x24d888f2
%ASA-6-713905: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, Starting P2 Rekey timer to expire in 3420 seconds
%ASA-5-713120: Group = <GRP-NAME>, IP = <C2800-DEST-IP>, PHASE 2 COMPLETED (msgid=c49feb32)

# IPSEC DEBUG
ciscoasa# debug crypto ipsec

%ASA-3-713119: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, PHASE 1 COMPLETED
%ASA-7-713121: IP = <C2800-DEST-IP>, Keep-alive type for this connection: DPD
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Starting phase 1 rekey timer: 82080000 (ms)
%ASA-7-715006: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE got SPI from key engine: SPI = 0xeaa54840
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, oakley constucting quick mode
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing blank hash payload
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing IPSec SA payload
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing IPSec nonce payload
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing proxy ID
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Transmitting Proxy Id:
  Local subnet:  SOURCE_NET_SERVER_FARM  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: DESTINATION_NET_HOSTS  Mask 255.255.255.0 Protocol 0  Port 0
%ASA-7-714007: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, constructing qm hash payload
%ASA-7-714004: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending 1st QM pkt: msg id = 0b0b91e2
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE RECEIVED Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing hash payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing SA payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing nonce payload
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--SOURCE_NET_SERVER_FARM
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing ID payload
%ASA-7-714011: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, ID_IPV4_ADDR_SUBNET ID received--DESTINATION_NET_HOSTS
%ASA-7-715047: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, processing notify payload
%ASA-7-713906: Responder Lifetime decode follows (outb SPI[4]|attributes):
%ASA-7-713906: 0000: 18C33FE5 80010001 00020004 00000E10     ..?.............

%ASA-5-713073: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, loading all IPSEC SAs
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-7-715001: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x18C33FE5) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-5-713049: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Security negotiation complete for LAN-to-LAN Group (<C2800-DEST-IP>)  Initiator, Inbound SPI = 0xeaa54840, Outbound SPI = 0x18c33fe5
%ASA-7-713906: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, oakley constructing final quick mode
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEAA54840) between <ASA-SRC-IP> and <C2800-DEST-IP> (user= <C2800-DEST-IP>) has been created.
%ASA-7-714006: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE Initiator sending 3rd QM pkt: msg id = 0b0b91e2
%ASA-7-713236: IP = <C2800-DEST-IP>, IKE_DECODE SENDING Message (msgid=b0b91e2) with payloads : HDR + HASH (8) + NONE (0) total length : 72
%ASA-7-715007: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, IKE got a KEY_ADD msg for SA: SPI = 0x18c33fe5
%ASA-7-715077: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Pitcher: received KEY_UPDATE, spi 0xeaa54840
%ASA-6-713905: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, Starting P2 Rekey timer to expire in 3420 seconds
%ASA-5-713120: Group = <C2800-DEST-IP>, IP = <C2800-DEST-IP>, PHASE 2 COMPLETED (msgid=0b0b91e2)

THERE WILL BE CONTINUE…

Thursday, March 11, 2010

GOOGLE BUZZ

RIP V2 Analysis

it is very basic stuff but will give you some prospective on how the RIP process works on Cisco router.
When you start the RIP process initially until you define the first network under it you will not see any process running

image

as you can see from above print once I have entered a network 3 process came up, RIP Router the main process RIP send and RIP Timers each name is simply enough self explanatory. now after I have added my own network I will send a request for receiving the full routing table

image 

How do you know that this is a request well just by looking into the wireshark you can see he did the hard work for you but actually it is not that hard as the first byte is either 1 or 2. 1 for request, 2 for response the whole algorithm is laying on this 2 messages, another interesting part about this message is that the metric is set to 16 witch is infinity in RIP world.

now, once I start adding more network’s to be advertised the router start sending response packet every almost 30 seconds the router actually calculate a random time between 25 – 30 seconds and then send the response.

image 

the response contain the full rip routing table, the max number of routes that can be sent in such packet is 25 any thing else will be sent in additional packet, now in case you add a network the router will send immediately a route update contain the single or the number of networks you advertise, but it will not reset the original response timer so you may have as the example bellow:

image

packet 11 show that he was sent after 26.9884 sec
packet 12 I have added a subnet so it was sent immediately, it just happen to be after 10 sec from the last full update
packet 13 after 16 sec from the partial update the router send a full table
So you see that the router didn't update his time due to the update

Now I have added Authentication see the diff between clear text and MD5 beside the obvious see if you can tell

image 

I hope you found it, but if not I will tell you!!!
see the number of networks without authentication and with authentication!!
Yes with authentication (clear text) the router remove the last prefix and insert the authentication at the top

image

Now when adding a key chain and assigning it to the interface you can select the mode of authentication, the default is clear text but you have also an MD5 option
you need to remember that when adding MD5 the authentication is growing 100% from 20byte to 40byte what makes the largest possible RIP packet to 532byte instead of 512byte with default or no authentication.

Now the last part, when removing a network the router advertise the network you removed with metric 16 and that is to poison the routers and telling them that network no longer exist in my routing.

image

Over all you can see that RIP is very basic protocol no fancy neighbor relationships no reliable mechanism, very simple to implement and troubleshoot.

Wednesday, March 03, 2010

Some IPv6 Basics

IPv6 is one of my favorite topics as it looks very complex but it is really nice and easy.

  • easy deployed
  • easy to manage

IPv6 Header as you can see constructed of

8 bit – Version 8 bit - Traffic Class (also known as TOS byte) 20 bit – Flow Label 20 bit - Payload Length 8 bit – Next Header 8 bit – Hop Limit (similar to TTL idea) 128 bit – S. Address 128 bit – D. Address

Total 40byte header

image

Compare it to the IPv4 Header:

image

You can see a smaller header 20byte but much more complex and with the options it can be extended up to 60byte so that is much more then IPv6 Ok now I would like to get to some demonstration of how easy just to get you the taste of IPv6 On my PC (OS-Win7) i didn't configure any IPv6 manually, by default OS win7 and most linux distributions are IPv6 enabled once installed, what that mean you ask?! It mean ipv6 link local address is configured automatically, now for those of you that are new to IPv6 you will ask me, what is link local IPv6 address?! Link Local – it is a non routable ipv6 address that is unique to the local segment, a link local address start with the following FE80::/10 in Cisco the link local address is created from FE80:: + MAC address after taking the 7th bit and converting it (if it was 0 –> 1 and if 1 –>0) so example from my router

HOME-GUEZ(config-if)#do sh int vl16 Vlan16 is up, line protocol is up Hardware is EtherSVI, address is 0017.5922.8114 (bia 0017.5922.8114)

Take 0017.5922.8114 7th bit is 0 change it to 1 makes it 0217.5922.8114 and in the middle inserting 0xFFFE so the full address should look like:

FE80:0000:0000:0000:0217:59FF:FE22:8114 = 128 bit or in short FE80::217:59FF:FE22:8114 and as you can see from the show bellow I was correct :-)

HOME-GUEZ(config-if)#do sh ipv6 int vl16 Vlan16 is up, line protocol is up IPv6 is enabled, link-local address is FE80::217:59FF:FE22:8114

Now I would like to show you something, I have enabled debug of ipv6 packets and under my vlan interface I have added a unicast global ipv6 address and at that moment like magic you can see the router starting working automaticly

HOME-GUEZ#debug ipv6 packet detail IPv6 unicast packet debugging is on (detailed) HOME-GUEZ#term mon HOME-GUEZ# HOME-GUEZ#conf t Enter configuration commands, one per line. End with CNTL/Z. HOME-GUEZ(config)#int vl16 HOME-GUEZ(config-if)#ipv6 address 2001::1/64 HOME-GUEZ(config-if)# Mar 2 21:05:53.956: IPV6: source :: (local) Mar 2 21:05:53.956: dest FF02::1:FF22:8114 (Vlan16) #### prot 58 is ICMPv6, Routers with IPv6 use ICMPv6 control messages to solicit and advertise neighbors, also notice to the use of the last 24 bits 22:8114 at the end of the destination address, the router is sending his own link local last 24 bits to verify that he is the only one of the link local with such address, also called DAD (Duplicate Address Detection) #### I didnt mention this before as I wanted to show you before I talk about it, but the next headed filed job in the ipv6 header is to indicate what is coming after the ipv6 header #### In the first packet you so prot 58 witch is ICMPv6, but in the next you can see prot 0 and that mean hop by hop option is directly after the ipv6 header, #### unlike the ipv4 the ipv6 options are not really part of the ipv6 header, the hop by hop header job is informative extension that each routing node should know about #### not very interesting to us now. Mar 2 21:05:53.956: traffic class 224, flow 0x0, len 64+16, prot 58, hops 255, originating Mar 2 21:05:53.956: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.960: IPv6: Sending on Vlan16 Mar 2 21:05:53.960: IPV6: source :: (local) Mar 2 21:05:53.960: dest FF02::16 (Vlan16) Mar 2 21:05:53.960: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:53.964: IPv6: Sending on Vlan16 Mar 2 21:05:54.456: IPV6: source :: (local) Mar 2 21:05:54.456: dest FF02::16 (Vlan16) Mar 2 21:05:54.456: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1, originating Mar 2 21:05:54.456: IPv6: Sending on Vlan16 #### Here is neighbor advertisement Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 72+8, prot 58, hops 255, originating Mar 2 21:05:54.956: IPv6: Sending on Vlan16 #### And that is a Router Advertisement after my PC had received the router advertisement it already configured him self with a global unicast ipv6 address #### IPv6 Address. . . . . . . . . . . : 2001::6df4:5c91:aac1:9a36(Preferred) Mar 2 21:05:54.956: IPV6: source FE80::217:59FF:FE22:8114 (local) Mar 2 21:05:54.956: dest FF02::1 (Vlan16) Mar 2 21:05:54.956: traffic class 224, flow 0x0, len 104+1396, prot 58, hops 255, originating

And you can see I could ping my router IPv6 global unicast ipv6 address

C:\Users\shiran>ping 2001::1

Pinging 2001::1 with 32 bytes of data: Reply from 2001::1: time=4ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms Reply from 2001::1: time=1ms

Ping statistics for 2001::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 4ms, Average = 1ms

Now I made the debugging shorter then it is but let me show you how dose the router advertisement look like and that will be the last for this post:

image

Now I know that this post is not very organized and it should contain much more explanation but I wanted to give you some 10000 feet view on how it looks complex but at the end I did on my router only 2 commands and I had my home network running IPv6

ipv6 unicast-routing <under the interface> ipv6 address 2001::1/64

Now yes that is not a grand design but think what you had to do if you wanted the same simple network for ipv4….

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate: relating to, meas...