Monthly Archives: April 2013

Site-to-site IPSec VPN through NAT

This post follows on from the first in this series and looks at how to modify the config if there is NAT along the way as well as reviewing a couple of the verification commands.

I’ve attached the full configs here.

Network Diagram

IPSec with NAT

Premise

A branch office with an ADSL connection would like to access corporate and local resources without running a local client on office machines. Split tunnelling is not required, all traffic must be routed back up to the corporate HQ. Only one static IP has been provided by the ADSL ISP.

Config

We’ll need to port forward UDP 500 (IKE) so that our corporate ASA can connect to the branch ASA. On the ADSL router we use the following NAT rules:

ip nat inside source list LAN interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500

You’ll see I’ve moved the B-End IP of the IPSec tunnel to the ADSL router so the A-End config doesn’t change. All I need to do is renumber the blue linknet to my chosen RFC1918 subnet of 192.168.1.0/24 and give my ASA a new default route matching the ADSL routers interface and all is well.

Testing

One thing which has bitten me in the past is that an IPSec tunnel won’t come up until you send some traffic down it. Since I’m doing this in GNS3 and VPCs, I’ll open up my crypto-map to allow ICMP so that I can bring up the tunnel with some pings.

A-END

access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp any 10.1.0.0 255.255.255.0

B-END

access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp 10.1.0.0 255.255.225.0 any

I also brought up a loopback with ip 8.8.8.8 on R1, to give my host on the otherside of the VPN something to ping. Finally I should say that I’m running OSPF on the two routers either side of the ‘public internet’ cloud, in order that the IPSec Peers have a route to either other.

First I had a look to see if my IPSec SA had come up:

A# show crypto ipsec sa

There are no ipsec sas

Hmm.

VPCS[1]> ping 8.8.8.8
8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 ttl=255 time=60.482 ms
8.8.8.8 icmp_seq=3 ttl=255 time=53.498 ms
8.8.8.8 icmp_seq=4 ttl=255 time=55.094 ms
8.8.8.8 icmp_seq=5 ttl=255 time=47.397 ms

IPSec SA Verification

After bringing up the tunnel by pinging 8.8.8.8 from a host behind the B-END ASA, I was able toverify it (apart from the ICMP Echo Replies I got) as follows:

A# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.0.2.6

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      current_peer: 192.0.2.129

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.0.2.6/500, remote crypto endpt.: 192.0.2.129/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C7F1AEC5
      current inbound spi : 9DE630E8

    inbound esp sas:
      spi: 0x9DE630E8 (2649108712)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4055039/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xC7F1AEC5 (3354504901)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4193279/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

A#

Here is how the B-END sees things:

B# show crypto ipsec sa                  
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 192.0.2.6

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.1/500, remote crypto endpt.: 192.0.2.6/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 8E827434
      current inbound spi : 8471E0F8

    inbound esp sas:
      spi: 0x8471E0F8 (2222055672)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4147198/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0007FFFF
    outbound esp sas:
      spi: 0x8E827434 (2390914100)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4285438/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

B#

You can also check out the IKEV2 SAs like this:

A# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 89722291         192.0.2.6/500       192.0.2.129/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3606 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.1.0.0/0 - 10.1.0.255/65535
          ESP spi in/out: 0xa8d47b04/0xfddbc217

 

B# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 77759211       192.168.1.1/500         192.0.2.6/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3526 sec
Child sa: local selector  10.1.0.0/0 - 10.1.0.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0xfddbc217/0xa8d47b04

NAT-T

By default, an ASA will encapsulate both IKEV2 negotiation and the IPSec encrypted packets in UDP 500. If you want to use NAT-T and encapsulate the IPSec packets in UDP 4500 then oort forward UDP 4500 on the NAT router and enable NAT-T on the each ASA:

NATRouter(config)# ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ASA(config)# crypto isakmp nat-traversal

ASA 8.4 on Mac OSX 10.8

Like many before me I wanted to emulate an ASA in my GNS3 environment. I am a Mac users and found this to be tricky so will post the steps I took to get it working here. Having done this, I was able to add a couple of ASAs to a topology and fire them up. I should add that they take a while to boot up! You’ll also need to add licences to the ASA, although that isn’t OSX specific.

QEMU

Unlike other versions, the OSX GNS3 package does not come with QEMU bundled. Apparently this will change in the next release but for now, we need to download and install the OSX build. This is pretty easy as the package comes with an install script, but I found I did need to fix the file permissions in /usr/local/bin.

First, download the QEMU built for OSX. Then unpack the tarball (tar zxvf QEMU-0.11.0-GNS3-OSX.tar). Finally, run the script:

./Qinstall
Making Directrories - if directories exist you may see errors, which can safely be ignored.
Please supply elevated credentials.
mkdir: /usr/local/: File exists
mkdir: /usr/local/bin/: File exists
Making /usr/local/bin directory...
Making /usr/local/share directory...
Copying files to their proper locations...
All done. Have fun with your JunOS patched version of QEMU!

I already had /usr/local/bin as it was created when I installed Wireshark. I found that the perms were 600 on /usr/local/bin and needed to adjust these so that my user could run them:

sudo chmod 755 /usr/local/bin

The files which the script placed in that directory were:

qemu
qemu-img
qemu-system-i386

We point our paths to the bottom two as shown:

QEMU Settings

Splitting the ASA binary

In order for QEMU to be able to boot the ASA software, we need to break it into two files:

asa842-vmlinuz
asa842-initrd.gz

Fortunately this is made infinitely simpler with the repack script, available here. I downloaded ASA asa842-k8.bin from the Cisco website. I did try some newer releases but found the script doesn’t accept them. For now I’m happy with 8.4. As I have access to a linux box, I ran the script on there. Version 4 of the script has a few dependancies (mkisofs/syslinux/cdrtools) as it produces an ISO among other things (which I didn’t need personally). I installed them anyway just to be sure the script would run cleanly.

[how@fantastic ~]$ ./repack.v4.sh asa845-smp-k8.bin
Repack script version: 4
which: no mkisofs in (/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/how/bin)
no syslinux/cdrtools - ISO creation skipped
Version is not supported!

So, I su’d up (thanks Barney) and ran yum install mkisofs. I also switched to asas842-k8.bin:

[root@fantastic ~]# ./repack.v4.sh asa842-k8.bin
Repack script version: 4
no syslinux/cdrtools - ISO creation skipped

Okay, one yum install syslinux later..

[root@fantastic ~]# ./repack.v4.sh asa842-k8.bin
Repack script version: 4
Detected syslinux/cdrtools - ISO will be created

This created the following files:

asa842-vmlinuz
asa842-initrd.gz
asa842-initrd-original
asa.iso

We are interested in the first two and configure the ASA Specific Settings in GNS3 as follows:

ASA GNS3 Settings

Final GNS3 configuration

I read that the Kernel settings are sometimes distributed with the image but I couldn’t find them. I got these from number of sources. If anyone can tell me how to calculate them I’ll be most grateful. The screenshot above shows the config, but for you to cut and paste.

Qemu Options:

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Kernel:

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

This all done, I tested the settings. Don’t be concerned by the pemu error, it wasn’t ported to OSX apparently and is not needed for ASA emulation anyway.

test_settings

Links

Here are some of the resources I used to get this working:

http://www.brainbump.net/GNS3-How-to-emulate-ASA-8.4-2-under-QEMU
http://blog.ciscoinferno.net/gns3-and-cisco-asa-8-4-part-1
http://www.network-blog.com/ittech/post/2012/02/06/Configure-Cisco-ASA-firewall-version-84-on-GNS3.aspx

Site-to-site IPSec VPN

Introduction

In this post I will walkthrough the configuration of a site-to-site IPSec VPN tunnel using a pair of ASAs. I’ll use the terms eastbound and westbound to describe traffic flowing across the tunnel, relative to the diagram below.

Network Diagram

There is an error on this diagram, the tunnel (in blue) on the left should read 192.0.2.60 -> 192.0.2.129. I’ll fix this when I get the chance.

IPSecVPN

 

Tunnel Logic

You may think of the tunnel as a logical version of a dedicated point-to-point serial connection between the two ASAs. Since our logical point-to-point link is traversing the Internet we use IPSec encryption to prevent snooping. Each end of the tunnel is on a different subnet (obviously).

Routing

A-END (HOME BASE)

Here we only have transit networks and we use static routes which scales well enough for this simple point-to-point link.

  • For westbound traffic We have a default route to send all decapsulated tunnelled traffic received on the ASA out via the orange linknet to R1.
  • For eastbound traffic, R1 has a static route for 10.1.0.0/24 (the B-End client subnet) pointing east to the ASA. The ASA will encapsulate traffic with this destination into the IPSec tunnel.
  • Finally there is an eastbound default route for non-tunnelled traffic to reach any IPSec peers, remote management of the ASA and any other services.

B-End (Remote Site)

There is a default route on the B-End ASA sending everything via its westbound interface (outside). An ACL ensures everything from the local subnet (10.1.0.0/24) is encapsulated in the the tunnel. Eastbound return traffic will be de-encapsulated and then routed internally by the ASA so no ACL is needed.

IPSec

A-END Config

! Phase 2 - ipsec tunnel for the data
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1
! Phase 1 - iskmp tunnel to encrypt initial ASA chatter
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
! light up crypto on the outside interface
crypto ikev2 enable outside
! Define the B-END of the tunnel and configure PSK
tunnel-group 192.0.2.129 type ipsec-l2l
tunnel-group 192.0.2.129 ipsec-attributes
 ikev2 remote-authentication pre-shared-key B_END_KEY
 ikev2 local-authentication pre-shared-key A_END_KEY
! What traffic do we wish to send down the ipsec tunnel?
access-list OUTSIDE_CRYPTOMAP_10 remark ACL to encrypt traffic from anywhere to B-END
access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0

! Bring it all together and enable on the outside interface
crypto map outside_map 10 match address OUTSIDE_CRYPTOMAP_10
crypto map outside_map 10 set peer 192.0.2.129
crypto map outside_map 10 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map outside_map interface outside

! Send tunneled traffic to the inside interface to be routed on the enterprise:
route inside 0.0.0.0 0.0.0.0 192.0.2.1 tunneled

B-END Config

!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 192.0.2.6 type ipsec-l2l
tunnel-group 192.0.2.6 ipsec-attributes
 ikev2 remote-authentication pre-shared-key A_END_KEY
 ikev2 local-authentication pre-shared-key B_END_KEY
!
object-group network clients
 network-object 10.1.0.0 255.255.255.0
access-list clients-out extended permit ip object-group clients any 
access-list clients-out extended permit icmp any any 
access-list OUTSIDE_CRYPTOMAP_10 remark ACL to encrypt traffic from local net to anywhere
access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any 
!
access-group clients-out in interface inside
!
crypto map outside_map 10 match address OUTSIDE_CRYPTOMAP_10
crypto map outside_map 10 set peer 192.0.2.6
crypto map outside_map 10 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map outside_map interface outside
!

Interfaces

A-END Config

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.0.2.2 255.255.255.252 
!
interface GigabitEthernet1/0
 nameif outside
 security-level 0
 ip address 192.0.2.6 255.255.255.252

B-END Config

interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.1.0.254 255.255.255.0 
!
interface GigabitEthernet1/0
 nameif outside
 security-level 0
 ip address 192.0.2.129 255.255.255.252

Logging

Since the B-End is remote, it would be preferable to log over TCP as it would give more certainty as to the source of the packets. However, this can overload the ASA so we are stuck with UDP. We log more information at the A-End end as the traffic doesn’t get encrypted so is less of a burden.

A-END

!
logging timestamp
logging trap notifications
logging host outside <LOGGING_HOST>
!

B-END

You can enable buffered logging as needed.

!
logging enable
logging timestamp
logging trap warnings
logging host outside <LOGGING_HOST>
!

Routing Config

For simplicity this example uses static routes. R1 has a static route to send the client network via the A-End ASA:

ip route 10.1.0.0 255.255.255.0 192.0.2.2

The A-END ASA has a default route eastbound, so that any IPSec peer can be configured

route outside 0.0.0.0 0.0.0.0 192.0.2.5 1

The A-END ASA also needs to be able to route IPSec when it pops out of the tunnel, with any destination address:

route inside 0.0.0.0 0.0.0.0 192.0.2.1 tunneled

The B-End ASA has a static route to send everything (non-tunnel) via its outside linknet. It doesn’t need a tunneled route as the only possible destination is the client LAN 10.1.0.0/24.

route outside 0.0.0.0 0.0.0.0 192.0.2.130 1

Through NAT?

If you want to read about setting up an IPSec VPN through NAT, see this follow up post.