Tag: VPN

Clientless SSL VPN Lab

In this post I’m going to setup a Clientless SSL VPN via the ASDM GUI and then connect to it via the TinyCore Linux PC all from GNS3.

Topology:

LAB_SSL_CL

I’m using the topology above. The nodes I’m using will be the ASA with the ASDM connected via the cloud from my local PC, if you want to know how to set the ASA up with access via the ASDM check out one of my other posts: How-To: ASA in GNS3 with ASDM

I’ll also be using R4 and the Remote Worker PC which is running a TinyCore Linux to test the Clientless SSL VPN.

Configure the Clientless SSL VPN on the ASAv via the ASDM GUI

ASDMmainscreen

When you log into the ASDM GUI you’ll get the main screen above. Click on Wizards > VPN Wizards > Clientless SSL VPN Wizard…

ASDM_Wizard

The Clientless SSL VPN Wizard window will pop up, click on Next. You’ll get the following window.

Step2_SSL

Here you need to give your Clientless SSL VPN a Connection Profile Name I’ve named this one SSL_Remote_Access and I’ve also selected the Interface that the SSL VPN will connect in on which is the Outside Interface (Internet). I don’t have my own digital certificate so I’m leaving the Certificate set to None, because of this the ASA will provide a self signed certificate. I’ve also given the Connection an Alias of SSL. Click on Next

step3_auth.png

The next step is to configure User Authentication you’ll have the choice to use an AAA server (which I dont have) or the Local User DB which I’ve selected. Select Authenticate using the local user database and add a new user, here I’m adding Homer once added click on Next

Step4_GroupPolThe next step is to setup a group policy or select an existing policy. Here I’ve setup a new policy called Remote_Users, this policy will inherit the DfltGrpPolicy attributes which I can change later if I need to. Click on Next

Step5_Bookmark

In the next step you can configure a list of bookmarks that the Remote users will be able to click on to access resources on the Corp LAN. Click on Manage > Add

Here you give the bookmark a name like EMAIL. Click on Add

Step5_BM2

You need to configure the IP address of the EMAIL server. I don’t have an email server in my lab but the bookmark will appear once I connect to the Clientless SSL VPN (hopefully).

step6_finish.pngThat is it, you’ll get a summary page click on Finish to send the config to the ASA.

With the ASA configured the next step is to configure R4 in my topology. I’ll have to give Gi0/1 an IP address (200.0.0.1/24) and also a default route to send all traffic to the ASA using the command “ip route 0.0.0.0 0.0.0.0 136.1.47.1” as shown below.

R4

Next configure the TinyCore Linux PC with an IP address in the same range as Gi0/1 I’ll use 200.0.0.2 and set the default gateway to 200.0.0.1.

tinylinux

To configure an IP address on the Linux PC click on Control Panel > Network

Set the IP address and the Gateway and click on Apply

It is always good practice to test the connectivity, open a Terminal Window in the Linux PC and ping the Gateway at 200.0.0.1.

pingR4

Now using the built-in Firefox browser on the Linux PC it is time to test the Clientless SSL VPN and see if we can connect to the Corp LAN. In the address bar enter the URL  configured earlier which is: https://136.1.47.1/SSL

SSLConnection

Looks good because this is a self signed certificate from the ASA the Firefox brower gives you a warning not to trust the site. Click on I Understand the Risks to continue. Once you accept the risk you will get the following login page.

SSL VPN Login

Enter in the username and password in my case Homer.

LoggedIn

Success !! I have logged in and as you can see the EMAIL bookmark I configured during the Clientless SSL VPN setup is there.

I hope you found this useful, get labbing and try it out for yourself.

Feedback always welcomed.

IPSec Site-to-Site VPN

 

In this post, I will show you how to setup a site-to-site VPN using IPSec. I read up on IPSec and its two tunnels IKE Phase 1 (Management) and IKE Phase 2 (Data) and thought the best way to understand this is to create a lab.

Lab Topology

screenshot

Above is the lab that I set up. A few things to know.

I am using BGP between R1-R2-R3. R1 is Site1 and R3 is Site2. R2 is the Internet. I’m not going to through setting up the eBGP peerings but the main thing once configured is that you can ping from Site1’s public IP address to Sites2’s public IP address. If you would like the configuration files for the basic setup including eBGP let me know and I will share them with you.

Lab Objectives:

  1. Setup IKE Phase 1 Tunnel using the following parameters:
  • Hashing= SHA
  • Authentication= pre-shared key
  • DH Group= 5
  • Lifetime= Default
  • Encryption= AES-128

2. Setup IKE Phase 2 Tunnel using the following parameters:

  • Create a transform set using esp-des and esp-md5-hmac
  • Create a crypto map with the peer address, reference the transform set and access-list
  • Create an access-list to identify interesting traffic to encrypt using the IPSec tunnel

Lab Configuration

With connectivity already in place, we should be able to ping each sites public IP address across the Internet.

Site 1:

Site1#ping 96.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

Site 2:

Site2#ping 86.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 86.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms

Also, we should try and ping each LAN PC. This is to show that at the moment we have no way of reaching each sites LAN but when we setup IPSec our data will be encapsulated and encrypted using the public addresses.

PC1 (Site 1)

No dice as expected!

PC1> ping 196.168.1.2
196.168.1.2 icmp_seq=1 timeout
196.168.1.2 icmp_seq=2 timeout
196.168.1.2 icmp_seq=3 timeout
196.168.1.2 icmp_seq=4 timeout
196.168.1.2 icmp_seq=5 timeout

PC2 (Site 2)

Same result!

PC2> ping 172.16.0.2
172.16.0.2 icmp_seq=1 timeout
172.16.0.2 icmp_seq=2 timeout
172.16.0.2 icmp_seq=3 timeout
172.16.0.2 icmp_seq=4 timeout
172.16.0.2 icmp_seq=5 timeout

IKE Phase 1

Keeping in mind the Lab Objectives lets set up each of the IKE Phase 1 requirements.

First, we need to setup a isakmp policy.

Site1(config)#crypto isakmp policy 1

A good way to remember what parameters can be set in IKE Phase 1 is the word HAGLE.

H=Hash

A=Authenication

G=DH Group

L=Lifetime

E=Encryption
Site1(config-isakmp)#hash sha
Site1(config-isakmp)#authentication pre-share
Site1(config-isakmp)#group 5
Site1(config-isakmp)#encryption aes 128

I left the lifetime of the tunnel to the default here for this lab. Note that the parameters need to match on each site for the IKE Phase 1 tunnel to come up.

Next step is to set the pre shared key that will be used between the two sites. Lets use mrrobot.

Site1(config)#crypto isakmp key mrrobot address 96.1.1.1

Here we have entered the shared key to use and also the peer address we want to use it within our case Site 2.

IKE Phase 2

This tunnel is the IPSec tunnel which will be used to encrypt user data.

Site1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac

Here we are using a transform-set with the name myset given to it and we are using esp-des for encryption (weak very weak but it will do for the lab)  and esp-md5-hmas for hashing and integrity.

Next, we will set up a crypto map

Site1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site1(config-crypto-map)#set peer 96.1.1.1
Site1(config-crypto-map)#set transform-set myset
Site1(config-crypto-map)#match address 100
Site1(config-crypto-map)#exit

Here we are telling the crypto map called mymap what peer to setup the tunnel with, the transform set to use and what interesting traffic to match.

Next setup the access-list that the crypto map is using.

Site1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

With this access-list we are telling it to match traffic from Site 1 LAN with a destination of Site 2 LAN any other traffic that does not match this access list will be sent unencrypted.

Lastly we need to apply the crypto map to the public facing interface.

Site1(config)#int fa0/0
Site1(config-if)#crypto map mymap
*Mar 1 01:12:06.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Ok that is everything we need to configure on Site 1 for IPSec. I am not going to go through the same for Site 2 as it is pretty much the same but in reverse.

Testing

So lets test this out to see if it works if it does traffic that we tried to send earlier from Site 1’s LAN should now be successful.

Ping from PC1 to PC2

PC1> ping 192.168.0.2
192.168.0.2 icmp_seq=1 timeout
192.168.0.2 icmp_seq=2 timeout
84 bytes from 192.168.0.2 icmp_seq=3 ttl=62 time=36.000 ms
84 bytes from 192.168.0.2 icmp_seq=4 ttl=62 time=39.000 ms
84 bytes from 192.168.0.2 icmp_seq=5 ttl=62 time=43.000 ms

Success ! The first two packets that failed could be due to ARP and/or the time it took for the two Tunnels to be built.

And just to show the other side is also working.

PC2> ping 172.16.0.2
84 bytes from 172.16.0.2 icmp_seq=1 ttl=62 time=36.000 ms
84 bytes from 172.16.0.2 icmp_seq=2 ttl=62 time=42.000 ms
84 bytes from 172.16.0.2 icmp_seq=3 ttl=62 time=50.000 ms
84 bytes from 172.16.0.2 icmp_seq=4 ttl=62 time=49.000 ms
84 bytes from 172.16.0.2 icmp_seq=5 ttl=62 time=46.000 ms

Show commands

IKE Phase 1 Tunnel

Site1#show crypto isakmp sa

dst          src                     state               conn-id    slot         status
86.1.1.1  96.1.1.1             QM_IDLE      1                  0             ACTIVE

Here we see that we have an IKE Phase Tunnel Active.

IKE Phase 2 Tunnel

Site1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: mymap, local addr 86.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 96.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 86.1.1.1, remote crypto endpt.: 96.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD796A48B(3616973963)

A lot more information in the IPSec output. We can see what interface the crypto map is on. What is the local and remote addresses that are getting encrypted? The current peer. The number of packets sent and the number encrypted.

eBGP Configuration

As requested from by Muadiv here is the BGP configuration on each router for this lab.

Site 1:

router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 86.1.1.2 remote-as 2
no auto-summary

Internet Router:

router bgp 2
no synchronization
bgp log-neighbor-changes
network 86.1.1.0 mask 255.255.255.0
network 96.1.1.0 mask 255.255.255.0
neighbor 86.1.1.1 remote-as 1
neighbor 96.1.1.1 remote-as 3
no auto-summary

Site 2:

router bgp 3
no synchronization
bgp log-neighbor-changes
neighbor 96.1.1.2 remote-as 2
no auto-summary