Wednesday, 23 September 2020

FlexVPN - Site-to-Site (1)

IKEv2
 
Few words on IKEv2:

-    described in RFC 7296 (initially RFC 5996)
-    offers dynamic key exchange and peer authentication
-    addresses measures to fix vulnerabilities of IKEv1 (anti-DoS)
-    supports Extensible Authentication Protocol (EAP)
-    it is not backward compatible with IKEv1
-    operates in two phases
-    industry standard, can operate in multivendor environment


IKEv2 operation:
-    Phase 1 is IKE_SA it consist a message pair IKE_SA_INIT (key exchange policy)
-    Phase 2 is CHILD_SA, first message pair is IKE_AUTH, additional CHILD_SA can be sent for rekey and information messages (data policy) 


R1 is the Initiator / R2 is the Responder

SA – security association
KE – Key exchange
Nr,Ni – Nonce
Cert-Req – Certificate Request
Cert – Certificate
IDi – Identification (Initiator/Responder)
TSi – Traffic selector – Initiator
TSr – traffic selector – Responder

 
IKEv2 authentication methods:
-    pre-shared keys (PSK)
-    digital signatures
-    EAP


IPSec 


IPSec consist of two main security protocols:
- Authentication Header (AH- IP protocol ID  51) – used for authentication and Integrity, enforces anti replay protection (receiving host sets replay bit in the header). AH is applied to datagram only.
- Encapsulation Security Payload (ESP- IP protocol ID 50) – used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service. Performs encryption at the IP packet layer, support symmetric algorithms by default 56-bit DES.

The AH can be applied alone or together with the ESP.

IPSec supports following standards:
-    Data encryption standard (DES), Triple DES (3 DES)
-    Delffie – Hellman (D-H)
-    Message Digest 5 (MD5)
-    Rivest, Shamir, and Adelman (RSA) signatures
-    IKEv1/v2
-    Certificate Authorities


IPSec operates in two modes:
-    Tunnel mode – A new IP header is created in place of the original this allow for encryption of entire original packet. Tunnel mode is used to encrypt traffic between secure IPSec Gateways i.e. Site to Site VPN or Cisco VPN Client and a IPSec Gateway.
-    Transport mode – The AH or ESP is inserted behind the IP header, the IP header can be authenticated but not encrypted. Use example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
In transport mode IP header is exposed.


Smart Defaults – this feature minimize FlexVPN configuration process. For example is following configuration steps can be skipped:
-    IKEv2 Proposal
-    IKEv2 Policy
-    IPSec transform-set
-    IPSec profile


default values will be picked, to verify default values:
-    sh crypto ikev2 proposal
-    sh crypto ikev2 policy
-    sh crypto ipsec transform
-    sh crypto ipsec profile


The think to remember is to use “default” as a name for the ikev2 profile.


LAB. Site to site FlexVPN with SVTI (using smart defaults)

 


 

RTR-01

crypto ikev2 keyring FlexVPN

 peer rtr-02

  address 20.0.0.1

  pre-shared-key local cisco

  pre-shared-key remote cisco

 

crypto ikev2 profile default

 description --->Basic FlexVPN<---

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local FlexVPN

 

crypto ikev2 dpd 10 3 on-demand

 

interface Tunnel200

 description FlexVPN-to-rtr-02

 ip address 10.120.0.1 255.255.255.252

 tunnel source Ethernet1/1

 tunnel mode ipsec ipv4

 tunnel destination 20.0.0.1

 tunnel protection ipsec profile default

 

RTR-02

crypto ikev2 keyring FlexVPN

 peer rtr-01

  address 10.0.0.1

  pre-shared-key local cisco

  pre-shared-key remote cisco

 

crypto ikev2 profile default

 description --->Basic FlexVPN<---

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local FlexVPN

 

crypto ikev2 dpd 10 3 on-demand

 

interface Tunnel200

 description FlexVPN-to-rtr-01

 ip address 10.120.0.2 255.255.255.252

 tunnel source Ethernet1/0

 tunnel mode ipsec ipv4

 tunnel destination 10.0.0.1

 tunnel protection ipsec profile default



Verification:

RTR-01-HUB#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          20.0.0.1/500          none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/248 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: 6445B887B3DC849B       Remote spi: CB227544A6FD4612
      Local id: 10.0.0.1
      Remote id: 20.0.0.1
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 3
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes

 IPv6 Crypto IKEv2  SA

RTR-01-HUB

RTR-02#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         20.0.0.1/500          10.0.0.1/500          none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/159 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: CB227544A6FD4612       Remote spi: 6445B887B3DC849B
      Local id: 20.0.0.1
      Remote id: 10.0.0.1
      Local req msg id:  0              Remote req msg id:  2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued:  0              Remote req queued:  2
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 3
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

 

Wireshark capture of the test ping from rtr-01 to rtr-02.

 



Wednesday, 22 April 2020

EIGRP


Enhanced Interior Gateway Routing Protocol (EIGRP) is still a part of CCNP/CCIE curriculum so I am using this post for exam preparation or trouble shooting purposes.  Believe it or not you can still see this protocol being in use in commercial environments but it is not part of the new Cisco CCNA exam.

About EIGRP:
-          EIGRP replaced IGRP in 1993, initially Cisco proprietary now partially open standard 
        described in RFC7868 classless routing protocol
-          Hybrid routing protocol/Advanced distant routing protocol
-          uses DUAL algorithm (Diffusing update algorithm)
-          uses protocol number 88
-          protocol independent, uses multicast address 224.0.0.10 and FF02::A for IPv6
-          Supports unequal load balancing (Advantage over link-state protocols)
-          provides fast convergence (Advantage over link-state protocols)


EIGRP terminology:
-          Successor – next-hop router with the lowest path metric
-          Feasible Successor (FS) – backup route to the destination
-          Reported Distance (RD) – cost between next hop and a destination
-          Feasible distance (FD) – cost to the destination (cost to the next hop + RD)
-          Active route – route for which Query process is being used to find a loop free alternative route (i.e. when the link goes down)
-          Passive route – route that is ready to be used (no longer calculated by DUAL)


EIGRP Tables:
-          Neighbor Table – lists of all neighbors
-          Topology Table – list of all prefixes
-          Routing Table – best routes (Successors)

EIGRP Packet types:
   Uses RTP (Reliable Transport Protocol) to exchange information
-          Hello – forms relationship / keep alive
-          Update – updates can be partial or full routing table (only sent when forming neighbour)
-          Query – i.e. query is send when there is no Feasible Successor (FS)
-          Replay – response to the query
-          Ack – acknowledgment to the update, query or reply messages


EIGRP Metric calculation
-          by default Bandwidth and Delay are being used, K1 and K3 both have the value of 1
-          by default K2, K4 and K5 are set to 0
-          latency is measured in microseconds, reference bandwidth 10Gbps

EIGRP Wide metrics
-          was implemented to help with higher-capacity links(up to 655Tbps), K6 value was added
-          by default K6 is 0 which makes it backward compatible
-          latency is measured in picoseconds

EIGRP troubleshooting (things to remember)
-          by default hello timer is 5 seconds (60sec on older slower links)
-          hold timer is 3x Hello timer
-          to form neighbor relationship EIGRP ASN numbers must match, K values must match, if authentication is used password and keys must match
-          when router detects the loss of Successor, Feasible Successor is being used and the Update is being send and every router that receive it will run DUAL
-          when router detects the loss of Successor and there is no Feasible Successor, route state changes from passive to active and DUAL will send a Query to EIGRP neighbors

Stuck in active (SIA) – this happens when there is no reply within 3 minutes often caused by high CPU and memory usage, packet drop or unidirectional links.

Plumbing... QoS

Rule no 1. QoS does not help in situations where there is no enough bandwidth but helps optimize performance by prioritization of the traffi...