Showing posts with label Remote Access. Show all posts
Showing posts with label Remote Access. Show all posts

Thursday, 21 January 2010

Vyatta - Example of OpenVPN infront of Microsoft ISA Server

Another day another lab :)



This scenrio was given to me by someone who stopped by the blog and wondered if it was possible to swap out some of the kit infront of his ISA box with Vyatta...the answer of course was yes!
Here is the diagram:


Here are the videos:
Part1:
Initial Setup and Testing

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 1 from Richard Vimeo on Vimeo.



Part2:
Second part of the lab setup

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 2 from Richard Vimeo on Vimeo.



Part 3
Load Balancing
Certificate Setup
OpenVPN Site to Site setup

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 3 from Richard Vimeo on Vimeo.




Part 4:
Certificate Setup/signing/installing etc
OpenVPN Site to Site setup continued..
OpenVPN Remote Access setup (+Client)

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 4 from Richard Vimeo on Vimeo.




Part 5
DMZ Setup
DMZ Routing & NAT
Testing!


Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 5 from Richard Vimeo on Vimeo.




Configs!
R1

/**********************************************************************\
firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 98.63.88.81/29
address 98.63.88.82/29
address 98.63.88.83/29
address 98.63.88.84/29
address 98.63.88.85/29
description ISP1
duplex auto
hw-id 00:0c:29:7f:b2:7d
smp_affinity auto
speed auto
}
ethernet eth1 {
address 75.93.91.193/29
address 75.93.91.194/29
address 75.93.91.195/29
address 75.93.91.196/29
description ISP2
duplex auto
hw-id 00:0c:29:7f:b2:87
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.0.12.1/24
description R1-ISA
duplex auto
hw-id 00:0c:29:7f:b2:91
smp_affinity auto
speed auto
}
ethernet eth3 {
address 10.0.2.1/24
description R1-DMZ
duplex auto
hw-id 00:0c:29:7f:b2:9b
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
local-host 98.63.88.81
mode server
replace-default-route {
}
server {
subnet 10.1.8.0/24
}
tls {
ca-cert-file /etc/openvpn/ca.crt
cert-file /etc/openvpn/r1.crt
dh-file /etc/openvpn/dh1024.pem
key-file /etc/openvpn/r1.key
}
}
openvpn vtun1 {
local-address 10.1.9.1
local-host 75.93.91.193
mode site-to-site
remote-address 10.1.9.2
remote-host 213.123.123.10
tls {
ca-cert-file /etc/openvpn/ca.crt
cert-file /etc/openvpn/r1.crt
dh-file /etc/openvpn/dh1024.pem
key-file /etc/openvpn/r1.key
role passive
}
}
}
load-balancing {
wan {
flush-connections
interface-health eth0 {
failure-count 2
nexthop 98.63.88.86
success-count 1
test 10 {
ping
resp-time 5
target 98.63.88.86
}
}
interface-health eth1 {
failure-count 1
nexthop 75.93.91.198
success-count 1
test 10 {
ping
resp-time 5
target 75.93.91.198
}
}
rule 10 {
destination {
address !10.0.0.0/16
}
inbound-interface eth2
interface eth0 {
weight 1
}
interface eth1 {
weight 1
}
protocol all
}
rule 20 {
destination {
address !10.0.0.0/16
}
inbound-interface eth3
interface eth0 {
weight 1
}
interface eth1 {
weight 1
}
protocol all
}
rule 30 {
destination {
address !10.0.0.0/16
}
inbound-interface vtun0
interface eth0 {
weight 1
}
interface eth1 {
weight 1
}
protocol all
}
}
}
protocols {
static {
interface-route 10.0.10.0/24 {
next-hop-interface vtun1 {
}
}
route 0.0.0.0/0 {
next-hop 75.93.91.198 {
}
next-hop 98.63.88.86 {
}
}
route 10.0.0.0/24 {
next-hop 10.0.12.2 {
}
}
route 10.0.1.0/24 {
blackhole {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name Vyatta.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth2
listen-on eth3
listen-on vtun0
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
destination {
address 75.93.91.194
port 25
}
inbound-interface eth1
inside-address {
address 10.0.2.10
port 25
}
protocol tcp
type destination
}
}
ssh {
allow-root true
port 22
protocol-version v2
}
}
system {
host-name R1
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository kenwood {
components main
distribution kenwood
password ""
url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */




/**********************************************************************\



R2

/**********************************************************************\
firewall {
all-ping enable
broadcast-ping disable
conntrack-table-size 32768
conntrack-tcp-loose enable
ip-src-route disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
default-action drop
rule 10 {
action accept
state {
established enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 213.123.123.10/24
description Outside
duplex auto
hw-id 00:0c:29:f5:c1:84
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.0.10.1/24
description Inside
duplex auto
hw-id 00:0c:29:f5:c1:8e
smp_affinity auto
speed auto
}
ethernet eth2 {
description DMZ
duplex auto
hw-id 00:0c:29:f5:c1:98
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun1 {
local-address 10.1.9.2
mode site-to-site
remote-address 10.1.9.1
remote-host 75.93.91.193
tls {
ca-cert-file /etc/openvpn/ca.crt
cert-file /etc/openvpn/r2.crt
key-file /etc/openvpn/r2.key
role active
}
}
}
protocols {
static {
interface-route 10.0.0.0/24 {
next-hop-interface vtun1 {
}
}
interface-route 10.0.2.0/24 {
next-hop-interface vtun1 {
}
}
interface-route 10.0.12.0/24 {
next-hop-interface vtun1 {
}
}
route 0.0.0.0/0 {
next-hop 213.123.123.1 {
}
}
}
}
service {
dhcp-server {
disabled false
shared-network-name POOL1 {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name Vyatta.local
lease 86400
start 192.168.10.10 {
stop 192.168.10.200
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 208.67.222.222
name-server 208.67.220.220
}
}
nat {
rule 10 {
destination {
address !10.0.0.0/16
}
outbound-interface eth0
source {
address 10.0.10.0/24
}
type masquerade
}
}
ssh {
allow-root true
port 22
protocol-version v2
}
}
system {
host-name R2
login {
user root {
authentication {
encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
repository kenwood {
components main
distribution kenwood
password ""
url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
username ""
}
repository lenny {
components main
distribution lenny
password ""
url http://packages.vyatta.com/debian/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */

/**********************************************************************\




ISA Screenshots:







Enjoy!
Posted by at No comments:
Labels: , , ,

Wednesday, 30 September 2009

PIX/ASA Remote Access VPN with L2L VPN and Failover - How to

This is the practical for this lab:
here

There are a few things that we have already covered in other labs, Lan to Lan (or site to site) VPNs, NAT etc. However the main reason for this lab is three fold.

1) Setting up Active/Standby Failover
2) Setting up remote access IPSec VPN (in combination with L2L VPN)
3) Allowing the Remote User access to the Spoke Via Split Tunneling


When setting up failover, you should setup the first "unit" with a basic configuration, then use the LAN failover interface to sync the two up.


So here the basic config on FW1 (Primary unit):

Setting up the Interfaces:

interface Ethernet0
nameif Outside
security-level 0
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
interface Ethernet2.300
description STATE Failover Interface
vlan 300
!


Note: The failover interfaces cannot be on a shared interface.

Diagnostic ACL for pings etc:

access-list WAN_IN extended permit icmp any any


NAT

global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0


Default Gateway:

route Outside 0.0.0.0 0.0.0.0 10.0.0.4



Failover Config (Primary):

failover lan unit primary
failover lan interface lan-fo Ethernet2.200
failover polltime unit msec 200 holdtime msec 800
failover key letmeinfo
failover link state-fo Ethernet2.300
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover interface ip state-fo 192.168.30.1 255.255.255.0 standby 192.168.30.2
failover lan enable
failover


Failover Config (Secondary):
This unit up until now had a blank configuration.

interface Ethernet2
description trunk for failovers
!
interface Ethernet2.200
description LAN Failover Interface
vlan 200
!
failover lan unit secondary
failover lan interface lan-fo Ethernet2.200
failover key letmeinfo
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover lan enable
failover


At this point you should wait until the two configurations are synced up and the primary has taken the "active" role.

Setting up L2L VPN:

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NO-NAT
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.34.3
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.34.3 type ipsec-l2l
tunnel-group 10.0.34.3 ipsec-attributes
pre-shared-key letmeinl2l


Setting up the other end (FW3):
Basic setup:

!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.34.3 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!


VPN and ACLs:

access-list WAN_IN extended permit icmp any any
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group WAN_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.34.4 1
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key letmeinl2l



Now, as it stands we should have an "Hub" and a "Spoke" set up with L2L vpn between the sites as well as their own wan (internet) traffic going out untouched.

Now Remote Access VPN:
Obviously LAN= 192.168.1.0/24 and VPN=10.1.1.0/24

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ftp
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-list 101 extended permit icmp any any
aaa-server acs protocol radius
aaa-server acs (Outside) host 192.168.0.45
timeout 5
key letmein
ip local pool VPN-POOL 10.1.1.1-10.1.1.254
crypto ipsec transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
crypto dynamic-map DYNA-MAP 1 set transform-set VPN-TRANSFORM
crypto dynamic-map DYNA-MAP 1 set security-association lifetime seconds 288000
crypto dynamic-map DYNA-MAP 1 set reverse-route
crypto map FW1 20 ipsec-isakmp dynamic DYNA-MAP
group-policy VPN-REMOTE internal
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
default-domain value cookie.local
tunnel-group VPN-REMOTE type remote-access
tunnel-group VPN-REMOTE general-attributes
address-pool VPN-POOL
authentication-server-group acs
default-group-policy VPN-REMOTE
tunnel-group VPN-REMOTE ipsec-attributes
pre-shared-key cisco123



Now the Split Tunnel and IPsec access to the Spoke:
FW-3:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0


FW1:

same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
group-policy VPN-REMOTE attributes
dns-server value 208.67.222.222
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel




And that is it! :P

If you need any info as to how to setup the client look here:
Setup VPN Client
The "group name" is VPN-REMOTE and the password is cisco123


Screenshot of it all working:
Posted by at 9 comments:
Labels: , , , , ,

Tuesday, 29 September 2009

PIX/ASA Remote Access VPN with L2L VPN and Failover

Well I was going to do a nice multiple context PIX/ASA lab, but after playing around with GNS for a while and a good few hours into the lab I came to a brick wall.

The brick wall being that if you use multiple contexts you cannot use VPNs:
(http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1116132)

So I created this lab instead:




If I get time ill upload the config tonight.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)