CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 5: Implementing IPsec Site-to-Site VPNs

Lesson 5: Implementing IPsec Site-to-Site VPNs
5.1 Configuring IPsec Site-to-Site VPNs in Cisco IOS Devices
5.2 Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS Devices
5.3 Configuring IPsec Site-to-Site VPNs in Cisco ASA
5.4 Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA

=================================================

5.1 Configuring IPsec Site-to-Site VPNs in Cisco IOS Devices

There are many ways that you can configure IPsec Site-to-site VPNs in a Cisco IOS device:
– Traditional/basic site-to-site configurations
– IPsec over Generic Routing Encapsulation (GRE)
– Dynamic Multipoint Virtual Private Network (DMVPN)
– FlexVPN

GRE is a tunneling protocol developed by Cisco that can encaptulate a wide variety of network layer protocols. An example is multicast and routing protocols.

DMVPN is a Cisco IOS Software solution for building scalable IPsec VPNs. Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for sites and users (including mobile workers and telecommuters).

Flex VPN is a newer framework to configure IPsec VPN with IKE version 2 (IKEv2) on Cisco IOS devices.
In the following examples you will learn how to configure a basic IPsec site-to-site tunnel between two Cisco routers.

Protocols and ports that may be required for IPsec
– IKEv1 Phase 1 uses UDP port 500 for its negotiation.
– Layer 4 Protocol 50 – IP Encapsulating Security Payload (ESP)
– Layer 4 Protocol 51 – Authentication Header (AH)
– NAT-T (NAT Traversal) – if both peers support NAT-T, and if they detect that they are connecting to each other through a Network Address Translation (NAT) device, they may negotiate that they will encapsulate the ESP packets in UDP prot 4500.

Lab 5.1

R1#show run

version 15.2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key 6 K0a!a address 172.16.123.2
!
!
crypto ipsec transform-set brendanSET esp-aes 256 esp-sha512-hmac
!
crypto map brendanMAP 1 ipsec-isakmp
set peer 172.16.123.2
set transform-set brendanSET
match address 100
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.101.1 255.255.255.0
!
interface Serial2/0
ip address 172.16.123.1 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 172.16.123.2 102 broadcast
frame-relay map ip 172.16.123.3 103 broadcast
no frame-relay inverse-arp
crypto map brendanMAP
!
access-list 100 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
!
end

+======================================================+

R2#show run

version 15.2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key 6 K0a!a address 172.16.123.1
!
!
crypto ipsec transform-set brendanSET esp-aes 256 esp-sha256-hmac
!
crypto map brendanMAP 1 ipsec-isakmp
set peer 172.16.123.1
set transform-set brendanSET
match address 100
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.102.1 255.255.255.0
!
interface Serial2/0
ip address 172.16.123.2 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 172.16.123.3 201
frame-relay map ip 172.16.123.1 201 broadcast
no frame-relay inverse-arp
crypto map brendanMAP
!
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
!
end

+======================================================+

R1#show crypto ipsec sa

interface: Serial2/0
Crypto map tag: brendanMAP, local addr 172.16.123.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer 172.16.123.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.123.1, remote crypto endpt.: 172.16.123.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

+======================================================+

R2#show crypto ipsec sa

interface: Serial2/0
Crypto map tag: brendanMAP, local addr 172.16.123.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer 172.16.123.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.123.2, remote crypto endpt.: 172.16.123.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

5.2 Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS Devices
5.3 Configuring IPsec Site-to-Site VPNs in Cisco ASA
5.4 Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA

 

 

Cisco UCM CAR (CDR) Web GUI Access Request (https:///car/)

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/11_5_1_SU1/Administration/cucm_b_administration-guide-1151su1/cucm_b_administration-guide-1151su1_chapter_010.pdf

 

To provide a user to CAR (CDR)  (https://<CAR server IP Address>/car/) web page, the following two access groups must be associated with the user. After giving user this access, please test login to other areas of UCM GUI, so the users do not gain unapproved access to UCM Admin pages.

 

1. Standard CCM End Users
2. Standard Admin Rep Tool Admin = (Standard CAR Admin Users, Standard CCM Super Users)

 

Putty Trick – 1. Save output to a file

To automatically save the output to a file while using Putty, you can change one setting of Putty to achieve this.
1. Start putty.exe.
2. Go to Session -> Logging.
3. Select “Printable output”
4. Choose the folder, where you want the file to be placed.
5. Append a file name like &H_&Y&M&D_&T.log to the path (host_YearMonthDay_time.log)
6. Save the profile as default settings.

CCNA Security 210-260 (Santos & Stuppi): Ch01 Questions

I have been away from study as well as blogging for sometime due to my on-going health issues. This year alone, I’ve had three operations and have been off the tangent on my study. Actually, two but the last one was a spin-off of the second. The first was in May, embarrassing to say this but the operation was for hemorrhoidectomy and colonoscopy, it brought me down for about 3 weeks. Then 3 weeks ago, I’ve had a Tonsillectomy, I was so glad that I was finally saying good bye to my beloved 40 year old tonsillitis. Post operation, I was almost over the hill, then on the 14th day, a scab came off the operated part and started bleeding crazy. Last Sunday, I went into Emergency and after almost bleeding to death for 8 hours, the ENT specicialist decided to operate on me again under full anesthetics. I was out for another week and looking forward to going back to work tomorrow. Sadly, I felt the pain up the bumb as well as in the mouth this year. Hopefully, I can keep my promise to completed the CCNA Security 210-260 before the year end. ;).

For anyone who is also struggling with their study, keep your forcus and keep going until you see the end of the tunnel. Yes, there are many tunnels to crosss in our industry, if you stop, you might get run over by the traffic behind you, so keep moving. 🙂

To help the exam prep and also make some go to points, I will simply refer the questions from the books. Yes, I did purchased a hard copy to study for this exam, the videos are also also available from safaribooks.com (Santos & Stuppi videos). Older Barker version is available off torrent sites as form of cbtnugget videos. Love watching Keith Barker’s cbtnuggets, he is a true  legend!

1. Which security term refers to a person, property, or data of value to a company?
a. Risk
b. Asset
c. Threat prevention
d. Mitigation technique
B

2. Which asset characteristic refers to risk that results from a threat and lack of a countermeasure?
a. High availability
b. Liability
c. Threat prevention
d. Vulnerability
D

3. Which three items are the primary network security objectives for a company?
a. Revenue generation
b. Confidentiality
c. Integrity
d. Availability
B C D

4. Which data classification label is usually not found in a government organisation?
a. Unclassified
b. Classified but not important
c. Sensitive but unclassified
d. For official use only e. Secret
B
5. Which of the following represents a physical control?
a. Change control policy
b. Background checks
c. Electronic lock
d. Access lists
C

6. What is the primary motivation for most attacks against networks today?
a. Political
b. Financial
c. Theological
d. Curiosity
B

7. Which type of an attack involves lying about the source address of a frame or packet?
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack
D

8. Which two approaches to security provide the most secure results on day one?
a. Role based
b. Defense in depth
c. Authentication
d. Least privilege
B D

9. Which of the following might you find in a network that is based on a defense-in-depth security implementation? (Choose all that apply.)
a. Firewall
b. IPS
c. Access lists
d. Current patches on servers
A B C D

10. In relation to production networks, which of the following are viable options when dealing with risk? (Choose all that apply.)
a. Ignore it
b. Transfer it
c. Mitigate it
d. Remove it
B C D

Interview question: Cisco Voice Engineer: CUCM Database replication value, do you know what you are talking about?

This is a helpful reminder note for all who manages CUCM on day-to-day basis and one of the favorite Voice/IPTel Engineer interview questions. I think I was asked this question in almost every voice Engineer role interviews. Good luck with your next interview!

Q1. What does CUCM database replication value mean to you (CM Administrator)? 

2 = Good, excellent, no behind pain

Other than 2 = Behind pain begins

Value	Meaning	Description
0	Initialization State	This state indicates that replication is in the process of trying to  setup. Being in this state for a period longer than an hour could  indicate a failure in setup.
1	Number of Replicates not correct	This state is rarely seen in 6.x and 7.x but in 5.x can indicate its  still in the setup process. Being in this state for a period longer than  an hour could indicate a failure in setup.
2	Replication is good	Logical connections have been established and tables match the other servers on the cluster.
3	Tables are suspect	Logical connections have been established but we are unsure if tables match. In 6.x and 7.x all servers could show state 3 if one server is down in  the cluster. This can happen because the other servers are unsure if  there is an update to a user facing feature that has not been passed  from that sub to the other device in the cluster.
4	Setup Failed / Dropped	The server no longer has an active logical connection to receive  database table across. No replication is occurring in this state.

Source: CCO

Q2. How to check?

Option 1: On CUCM OS CLI, run show command

admin:show perf query class “Number of Replicates Created and State of Replication”
==>query class :

– Perf class (Number of Replicates Created and State of Replication) has instances and values:
ReplicateCount -> Number of Replicates Created = 427
ReplicateCount -> Replicate_State = 2 <<< Life is Good

Option 2: On CUCM Unified Reporting 

Cisco Unified Reporting > System Reports > Unified CM Database Status >> Run report

 

Option 3: Real Time Monitoring Tool (RTMT)

Install RTMT plugin on your desktop. Launch RTMT and then go to “Call Manager > Service > Database Summary”

Q3. How to repair a broken db replication issue?

I have come acorss a very good blog and it shows you on how to repair a broken db replication. Click here.

 

 

 

CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 4: Fundamentals of IP Security

Source: https://www.safaribooksonline.com/library/view/ccna-security-210-260

Lesson 4: Fundamentals of IP Security
4.1 IPsec Concepts, Components, and Operations
4.2 IKE version 1 Fundamentals
4.3 IKE version 2 Fundamentals

====================================================

4.1 IPsec Concepts, Components, and Operations

The Internet Key Exchange (IKE) Protocol
– IPsec uses IKE protocol to negotiate and establish secured site-to-site or remote access virtual private network (VPN) tunnels.

– IKE is a framework provided by the Internet Security Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley and Secure Key Exchange Mechanism (SKEME).

– In IKE Phase 1: IPsec peers negotiate and authenticate each other. In Phase 2, they negotiate keying materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Two versions of IKEs.
IKE v1: Defined in RFC 2409
IKE v2: Defined in RFC 4306

IKE Protocol Details:
– IKE v2 enhances the function of performing dynamic key exchange and peer authentication.
– IKE v2 simplifies the key exchange flows and introduces measures to fix vulnerabilities present in IKEv1.
– Both IKEv1 and IKEv2 protocols operate in two phases.
– IKEv2 provides a simpler and more efficient exchange.

 

4.2 IKE version 1 Fundamentals

IKEv1: Who begins the negotiation?
– The initiator sends over all of its IKE Phase 1 policies, and the other VPN peer looks at all of those policies to see whether any of its own policies match the ones it just received.
– If there is a matching policy, the recipient of the negotiations sends back information about which received policy matches, and they use that matching policy for the IKE Phase 1 tunnel.

IKEv1 Phase 1
A handy way to recall the five pieces involved in the negotiation of the IKE Phase 1 tunnel, you might want to remember that the two devices HAGLE over IKE Phase 1:

H: Hash
A: Authentication Method
G: DH group (a stretch, but it works)
L: Lifetime of the IKE Phase 1 tunnel
E: Encryption algorithm to use for the IKE Phase 1 tunnel
The DH (Diffie-Hellman) Exchange
– Now having agreed to the IKEv1 Phase 1 policy of the peer, the two devices run the DH key exchange.
– They use the DH group (DH key size for the exchange) they agreed to during the negotiations, and at the end of this key exchange they both have symmetrical keying material (which is a fancy way of saying they both have the same secret keys that they can use with symmetrical algorithms).
– DH allows two devices that do not yet have a secure connection to establish shared secret keying material (keys that can be used with symmetrical algorithms, such as AES).
Authenticating the peer (last step in IKEv1 phase 1)
– The last step of IKE Phase 1 is to validate or authenticate the peer on the other side.
– For Authentication, they use whatever they agreed to in the initial proposal/policy, and if they successfully authenticate with each other, we now have an IKE Phase 1 tunnel in place between the two VPN gateways.
– The authentication could be done either using a PSK or using RSA digital signatures.

Phase 1:
– The next step is to complete the IKEv1 Phase 2 negotiation.
– The entire conversation and negotiation of the IKEv1 Phase 2 tunnel are completely done in private because of the IKEv1 Phase 1 tunnel protection the negotiated traffic.
– The IKE Phase 2 tunnel includes the hashing and encryption algorithms.
– The name of the mode for building the IKE Phase 2 tunnel is called “Quick Mode“.
4.3 IKE version 2 Fundamentals

What’s different in IKEv2?

* IKEv2 does not consume as much bandwidth as IKEv1.
* IKEv2 supports EAP authentication while IKEv1 doesn’t.
* IKEv2 supports the Mobility and Multi-homing (MOBIKE) protocol while IKEv1 doesn’t.
* IKEv2 has built-in NAT traversal while IKEv1 doesn’t.

** UDP port 4500 is used.
*** Protocol 50 (ESP) or 51 (AH)
*** NAT Transversal need to be used on UDP port 4500

IKEv2 Phase 2
* Phase 2 in IKEv2 is CHILD_SA (Child Security Association)
* The first CHILD_SA is the IKE_AUTH message pair.
* This phase is comparable to IKEv1 Phase 2.
* Additional CHILD_SA message pairs can be sent for rekey and informational messages.
* The CHILD_SA attributes are defined in the Data Policy.

 

 

CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 3: Fundamentals of VPN Technology and Cryptography

Lesson 3: Fundamentals of VPN Technology and Cryptography
3.1 Understanding VPNs and Why We Use Them
3.2 Cryptography Basic Components
3.3 Public Key Infrastructure
3.4 Putting the Pieces of PKI to Work

==================================================
3.1 Understanding VPNs and Why We Use Them

What is a Virtual Private Network (VPN)?
“A virtual private network that allows connectivity between two or more devices.”

Those two devices could be computers on the same local-area network or could be connected over a wide-area network.

Two major types of VPNS:
1. Remote access: uses SSL or IPSec VPN tunnel, terminates tunnel at either IOS/ASA and then can access corporate network from anywhere on the internet, as if it is directly connected to the network.
2. Site-to-Site : This is between two routers across WAN, terminate IPSec tunnel so the site A devices can access resources at site B and visa versa.

Examples of VPN Technologies
1. IPSEC
2. SSL
3. MPLS
4. PPTP

The main benefits of using either remote-access or site-to-site VPNs include the following:
Confidentiality: – Only the intended parties can understand the data that is sent.
– Any party that eavesdrops may see the actual packets, but the contents of the packet or the payload are encrypted (also called cipher text)
Data integrity: – Ensuring that the data is accurate from end to end
Authentication: – Peer authentication done in many ways. E.G.) Pre-shared keys, public and private key pairs, certificates, and user authentication in remote-access VPNs
Antireplay protection: – This just means that once a VPN packet has been sent and accounted for, that exact same VPN packet is not valid the second time in the VPN session.
3.2 Cryptography Basic Components

Ciphers
A Cipher is a set of rules, which can also be called an algorithm, about how to perform encryption or decryption.
Common methods that ciphers use
Substitution: substitutes one character for another. For example, substituting each letter from the alphabet with the previous letter of the alphabet.

Polyalphabetic: similar to substitution, but instead of using a single alphabet, it could use multiple alphabets and switch between them by some trigger character in the encoded message.

Transposition: uses many different options, including the rearrangement of letters.
E.G.)

 

KEYS
– A one-time pad (OTP) is a good example of a key that is only used once.
– Using this method, to encrypt a 32-bit message, a 32-bit key is also used. This is also called the pad, which is used one time only.
– Each bit from the pad is mathematically computed with a corresponding bit from our message, and the results are our cipher text, or encrypted content.
– The pad must also be known by the receiver if he wants to decrypt the message.

Note: Another use of the acronym OTP is for a user’s one-time password, which is a different topic than the OTP (one-time pad).
BLOCK CIPHERS
A block cipher is a symmetric key cipher (same key to encrypt and decrypt) that operates on a group of bits called a block.

E.G.)
– Advanced Encryption Standard (AES)
– Digital Encryption Standard (DES)
– Triple Digital Encryption Standard (3DES)
– Blowfish
– International Data Encryption Algorithm (IDEA)

STREAM CIPHERS
A stream cipher is a symmetric key cipher (same key to encrypt as decrypt), where each bit of plain-text data to be encrypted is done 1 bit at a time against the bits of the key stream, also called a cipher digit stream.
Symmetric vs Asymetirc Encryption Algorithm:

Symmetric Encryption Algorithms
– a.k.a a symmetric cipher, uses the same key to encrypt the data and decrypt the data.
– Two devices connected via a VPN, both need the key or keys to successfully encrypt and decrypt the data that is protected using a symmetric encryption algorithm.

E.G.)
– DES
– 3DES
– AES
– IDEA
– RC2, RC4, RC5, RC6
– Blowfish

Symmetrical encryption algorithmmms are used for most of the data that we protect in VPNs today.
Asymmetirc Encryption Algorithms
An example of an asymmetric algorithm is public key algorithms. Instead of using the same key for encrypting and decrypting, we use two different keys that mathematically work together as a pair. These are called the public and private keys. Together they make a key pair.

E.G.)
– RSA – named after “Rivest, Shamir and Adleman” (investors)
– Diffie-Hellman (DH)
– ElGamal – based on the DH exchange
– Digital Signature Algorithm (DSA) – created by the NSA
– Elliptic Curve Cryptography (ECC)
HASHES
Hashing is a method used to verify data integrity.

4 most popular types of hashes:
1. Message digest 5 (MD5): This creates a 128-bit digest.
2. Secure Hash Algorithm 1 (SHA-1): This creates a 160-bit digest.
3. Secure Hash Algorithm 2 (SHA-2): Options include a digest between 224 bits and 512 bits.
4. Secure Hash Algorithm 3 (SHA-3): Options include a digest between 224 bits and 512 bits.

Hashed Message Authentication Code (HMAC)
– Instead of using a hash that anyone can calculate, it includes in its calculation a secret key of some type.
– Then only the other party who also knows the secret key can calculate the resulting hash that can correctly verify the hash.
– An attacker who is eavesdropping and intercepting packets cannot inject or remove data because he does not have the key or keys used for the calculation.
DIGITAL SIGNATURES
When you sign something, it often represents a commitment to follow through, or at least prove that you are who you say you are. In cryptography a digital signature provides three core benefits:

1. Authentication
2. Data Integrity
3. Nonrepudiation
KEY MANAGEMENT
Key management deals with:
– Generating keys
– Verifying keys
– Exchanging keys
– Storing keys
– at the end of their lifetime, destroying keys
3.3 Public Key Infrastructure

PKI and Public and Private Keys
A key pair is a set of two keys (a private and a public key) that work in combination with each other as a team.
The public key may be shared with everyone, but the private key is not shared with anyone.
Certificate Authorities
A certificate authority (CA) is a system that creates an issues digital certificates.

Inside of a digital certificate is information about the identity of a device, such as:
– its IP Address
– Fully Qualified Domain Name (FQDN)
– The public key of that device

Root and Identity Certificates
A digital certificate can be thought of as an electronic document that identifies a device or person.
– A root certificate contains the public key of the CA server and the other details about the CA server.
– An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client).

3.4 Putting the Pieces of PKI to Work

1. Authenticate CA Server by downloading “Root Cert” from the CA server to Client
2. Client can request its own identity certificate, CA server generating the public and private key pair. ID certificate can be for a device or a person, the client can be a PC/firewall/router.

Simple Certificate Enrollment Protocol (SCEP) is used to generate the ID certificate. SCEP is most popular certification method.

Certificate Revocation:
Certificate revocation List (CRL): list of certificate which should be no longer trusted.
Online Certificate Status Protocol (OSCP): Newer certification revocation method. Revoked – irreversible or Hold status – temporary.