Showing posts with label CISCO. Show all posts
Showing posts with label CISCO. Show all posts

Jul 30, 2011

Linux VPN Client: disconnect every 600s (10min)

You are trying to connect to a Cisco Pix or Cisco ASA with a Linux PC and the connection disconnects after 10 minutes?
You tried
You found after googling around the following hints:
  • rekeying problem (not implemented for Linux)
  • missing open ports in your firewall (500 UDP, 4500 UDP, 10000 UDP)
  • write a automatic restart script
  • set MTU size on tun0 below 1300
  • disable dead pear detection (--dpd-idle 0)
    this is done via port 500
  • ...
None of this tips worked. And now?
Let's take a look at the debug messages from vpnc:
vpnc -no-detach --debug 2 profile0
after 10 minutes:
S7.2 QM_packet2 send_receive
S7.3 QM_packet2 validate type
vpnc: no response from target
Anything learned? The connection is dead again with no response from target...
Where are this response packets? Let's take a look at wireshark:


Hmmm
Dst Port 500...
Let's try the following:
vpnc --no-detach --debug 2 --dh dh5 gip2
and voila: no disconnects anymore...

Why?
Read this link:
The Diffie-Hellman Group 5 feature enables group 5
on all platforms that support crypto images. Group 5 specifies the
1536-bit Diffie-Hellman group, which is a method of establishing a
shared key over an insecure medium.

So my advise:
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...

Here the cli-option (via vpnc --long-help)
Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]

Options:
--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>

--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>

(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>

(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>

--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>

(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>

(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>

--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>

--xauth-inter
enable interactive extended authentication (for challenge response auth)

--dpd-idle
conf-variable: Xauth interactive

--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>

--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>

--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>

--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>

--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

--enable-1des
enables weak single DES encryption
conf-variable: Enable Single DES

--enable-no-encryption
enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption

--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.3:Linux
conf-variable: Application version <ASCII string>

--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>

--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>

--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug <0/1/2/3/99>

--no-detach
Don't detach from the console after login
conf-variable: No Detach

Report bugs to vpnc@unix-ag.uni-kl.de












Posted by at 1 comment:
Labels: , , ,

Jun 14, 2011

Review at amazon: IPv6 Security

World IPv6 day is now one week ago and still many participants announce their websites with AAAA records.
But what does this mean? -> IPv6 is already around us - and it is time (ok, it is a little bit late, but hopefully not too late ;-) to dive deep...

One book which you dive through is:


Here some phrases of the summary:
IPv6 Security Protection measures for the next Internet Protocol As the
world's networks migrate to the IPv6 protocol, networking professionals
need a clearer understanding of the security risks, threats, and
challenges this transition presents.

In IPv6 Security, two of the
world's leading Internet security practitioners review each potential
security issue introduced by IPv6 networking and present today's best
solutions.

IPv6 Security offers guidance for avoiding security problems
prior to widespread IPv6 deployment.

The book covers every component of
today's networks, identifying specific security deficiencies that occur
within IPv6 environments and demonstrating how to combat them.

The
authors describe best practices for identifying and resolving weaknesses
as you maintain a dual stack network.

Then they describe the security
mechanisms you need to implement as you migrate to an IPv6-only network.
This book is one of the best IPv6 books on the market. In contrast to IPv6 for Enterprise Networks every topic is well introduced and then explained with really good figures and commented configurations. Even if you are just looking for the commands on different operating systems: chapter 7 is your candidate - Windows, Linux, BSD, Solaris... If you want to build a firewall: chapter 5 contains a list of subnets you should block and what else is important for ipv6 firewalls...
You are interested in transition mechanisms? Read chapter 10 (for the next years this will be an important chapter...)

If you are interested, take a look at my review at amazon.de (like all my reviews: written in german ;-).

Posted by at No comments:
Labels: , ,

May 13, 2011

Review at amazon: IPv6 for Enterprise Networks

I was looking for books talking about IPv6. One book i found was:


The summary sounds quite good:
Four leading Cisco IPv6 experts present a practical approach to organizing and executing your large-scale IPv6 implementation. They show how IPv6 affects existing network designs, describe common IPv4/IPv6 coexistence mechanisms, guide you in planning, and present validated configuration examples for building labs, pilots, and production networks.
[...]
Finally, they translate IPv6 concepts into usable configurations. Up-to-date and practical, IPv6 for Enterprise Networks is an indispensable resource for every network engineer, architect, manager, and consultant who must evaluate, plan, migrate to, or manage IPv6 networks.
Some chapters are really informative and cover some really nice aspects. But the main chapter (chapter 6) is unclear and confusing:
  • Many Cisco configurations without explanations
  • Many Topics without any grouping and structure
If you have the time to implement the configurations in your lab, then this book might be helpful. But if you only want to read, you should look for an alternative.
If you are interested, take a look at my review at amazon.de (like all my reviews: written in german ;-).
Posted by at No comments:
Labels: , ,

Mar 24, 2011

Debian 6: IPSec-VPN?! -> Network-Manager

After changing to Debian 6 i had to recompile the Cisco IPSec kernel module (cisco_ipsec.ko). But i ended up with:
hades:/packages/vpnclient# ./vpn_install
Cisco Systems VPN Client Version 4.8.02 (0030) Linux Installer
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
....
Making module
make -C /lib/modules/2.6.37.3/build SUBDIRS=/packages/vpnclient modules
make[1]: Entering directory `/usr/src/linux-2.6.37.3'
CC [M] /packages/vpnclient/linuxcniapi.o
/packages/vpnclient/linuxcniapi.c:14:28: error: linux/autoconf.h: Datei oder Verzeichnis nicht gefunden
make[2]: *** [/packages/vpnclient/linuxcniapi.o] Fehler 1
make[1]: *** [_module_/packages/vpnclient] Fehler 2
make[1]: Leaving directory `/usr/src/linux-2.6.37.3'
make: *** [default] Fehler 2
Failed to make module "cisco_ipsec.ko".
Ok... this does not work anymore.
But the network-manager has one tab labelled vpn... What about using this one?

The first try was not successful, because the "add"-button was disabled. After some googling around there was a hint to install the following package:
apt-get install network-manager-pptp-gnome
The button was enabled but only Point-to-Point-Tunneling-Protocol could be chosen. A lookup on http://packages.debian.org showed the following packages in addition:
apt-get install network-manager-openvpn-gnome
apt-get install network-manager-vpnc-gnome
After installing these packages the following vpn-types were selectable:

And with choosing vpnc the following dialog was shown

and after filling in all parameters, the vpn connection was established without any problem...


Posted by at No comments:
Labels: , , ,

Nov 24, 2007

2XK is over...

The second xyna conference (2XK) is over. On the gip web pages you can take a look at the
official press release and get an impression.
There were keynotes given from SUN (a very humourous lecture about Wonderland Inc. from M. Jeske about second life for business), CISCO, Fokus and Oracle. AND of course the keynote from the director of the GIP research institute B. Reifenhäuser.

Here a short summary from the official agenda:

Xyna Service Factory: The fractal Telco-factory as the answer to the challenging defiances within Telco industrialization

Network abstraction as integral building block for fractal factories: Cisco next generation device and network management

Project Wonderland Inc. (Sun Laboratories): Web 2.0 for Enterprise Environments

From MetaSolv to Oracle Communication Service Fulfillment Suite: Driving Service Delivery Innovation in Communications

New FOKUS Open SOA Telco Playground: Evolution of Telco Service Platforms in Face of Network Convergence and SOA Principles


There are the first photos (including the party) available...
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)