EzVPN II: Electric Boogaloo

On February 17, 2011, in CCIE, Networking, by Steve

The previous post talked about setting up an EzVPN server and an EzVPN client on a router.  Not the easiest task on hand as the name would suggest.  But the reason for setting up an EzVPN server isn’t so much for other routers; the main reason is for an IPSec Client at a remote location to easily connect to the main network.  In order to do that with certificates, as was demonstrated in the last post, the IPSec Client must be installed and then manually enroll with the CA server.  In production, this would be done while the user is in the office, as the PKI server shouldn’t be exposed to the outside world.

Continue reading »


Not So EzVPN…With Retsyn!

On February 17, 2011, in CCIE, Networking, by Steve

So it doesn’t really use retsyn, but it does use certs!  Get it?  Certs…retsyn…

But I digress.

In my award-seeking earlier post, I discussed how to setup a CA server with an IOS router.  I then enrolled two additional routers with the CA server and they now have signed certificates.  Those very certificates can now be put to use by creating an EzVPN connection using those very certificates rather than pre-shared keys for authentication. 

Continue reading »


CA Server on a Cisco Router

On February 15, 2011, in CCIE, Networking, by Steve

Most of the time when I am in the field setting up VPNs, I am using pre-shared keys for authentication.  Most of my customers are not really concerned about setting up a PKI infrastructure that is required in order to use a certificate based VPN.  Nevertheless, allowing routers to use certificates for authentication allows for an additional layer of security by making is more difficult to create “man-in-the-middle” attacks.  While it would be nice to create an internal CA and RA infrastructure in a lab, it really isn’t necessary to understand the base concepts of getting certificates installed and used for the purpose of a VPN.  In fact, we can use a Cisco router to setup a CA server that issues certificates for this very purpose!  Yay!

Continue reading »


GET VPN through IOS Routers

On February 8, 2011, in CCIE, Networking, by Steve

IPSec VPN tunnels are pretty straight forward.  Define the ISAKMP policy and keys (phase I), define the IPSec transform set, define the interesting traffic (traffic that will be encypted), create a crypto map or ipsec policy, then apply the policy to an interface.  All IPSec VPN technologies use this basic format.  However, there are various applications for a VPN.  There are remote access VPNs (where the endpoint can be anywhere) or site to site VPNs (where the endpoints are static and known).  For site to site VPN technologies, the type of traffic and layout of the network can determine the type of VPN tunnel that is being used, whether it is a crypto map, VTI, DMVPN, or GET VPN.

Continue reading »


EIGRP Authentication Through a VTI

On February 5, 2011, in CCIE, Firewalls, Networking, by Steve

Earlier I discussed how to use a VTI rather than a standard crypto map for tunneling traffic.  The VTI also has the advantages of using a smaller header than a GRE tunnel (which has its advantages and disadvantages).  In my previous example, I used a static route in order to send the traffic through the tunnel.  Static routes, while quick and easy, are not very scalable.  Various routing protocols can be used in order to get traffic to go through a VTI, such as RIP, OSPF, EIGRP, etc.  More importantly, these protocols can make use of MD5 authentication to prevent man-in-the-middle style attacks.

Continue reading »


The Obligatory CCIE Study Tips

On February 2, 2011, in CCIE, by Steve

Many people who attempt the CCIE do not pass the first time. Or the second. Add me to that infamous list of people who simply fell short. 🙁

The first time I took the test, I went in with the idea that I probably wouldn’t pass the test the first time.  My fellow CCIEs in my workplace have noted on many an occasion that the first time you take the test it is simply to learn how to take the test.  They couldn’t be more right.  While there is the end of the bell curve that passes the first time through, I can see that taking the test really helps in developing a strategy to pass that cannot really be accomplished by simply studying the material.  Learning the environment, what to expect, and seeing what they really want in the testing situation can eat up valuable time.  And time really isn’t on your side during the exam.

Continue reading »


IOS Auth Proxy with ACS

On January 30, 2011, in CCIE, Networking, by Steve

One of the tasks that should be done very quickly on the CCIE:Security exam is the IOS Auth Proxy. The IOS Auth Proxy checks an incoming connection, authenticates against the ACS (or some authentication mechanism. In our example, we use the ACS.), and then changes the ACL that is currenly denying traffic into the Auth Proxy router and allows it to pass through.

In the following example, I demonstrate how to quickly get the Auth Proxy setup with an IOS router that authenticates against an ACS server. This is the most basic of examples, and it should be able to be accomplished within 15 minutes.  TACACS+ is used, but RADIUS can be used as well on the ACS.

Continue reading »


ASAs, Multiple ISPs, and VPNs

On November 11, 2010, in CCIE, Firewalls, Networking, by Steve

Sometimes a customer situation finds aligns with perfect symmetry with my studies.

A customer of mine is using one ISP, which happens to be a T1 connection.  Really cool if you live in Lickbucket, AK or insist that 1998 was the coolest year ever.  Fortunately for me and my sanity, my customer does not fit into either category.  The T1 connection is used for both Internet access and site-to-site VPN connections to a number of satellite offices.  The VPNs are utilized for direct dialing between IP phones.  Not only is this solution undersized for their needs, but recently the T1 connection failed, causing the whole main office to go down.

Right now, the  customer is using a pair of ASAs at the main site.  While the ASA doesn’t offer a BGP solution like Juniper (grrr…), the ASA does offer redundant links out to the Internet.  However, unlike BGP, the IP address schemes for each ISP will be disparate.  This is no big deal if you have only outbound connections, but what about VPNs?  If we go with an additional ISP, we then need to split the traffic so we can utilize both links, but we still need a failover solution in case either link dies.

Continue reading »


IPSec with a VTI Through an ASA

On November 7, 2010, in CCIE, Networking, by Steve

Many people who setup IPSec tunnels in the field usually do it the same way.  The basic steps for creating a site-to-site IPSec tunnel would be:

  1. Create an isakmp policy
  2. Create an isakmp key
  3. Create an ipsec transform set
  4. Create an access list defining the encrypted traffic
  5. Create a crypto map
  6. Apply the crypto map to the physical interface

Pretty straight forward.  So what would it look like?  Let’s assume that we have the following basic network:

Continue reading »


The Start –

On November 6, 2010, in Networking, by Steve

Well, today is a special day.  Not only have I completed 43 rotations around the sun, I am also finally getting my blog in order.  I am going to focus on my CCIE:Security studies.  What better way to get my studies rolling than to share what I find during the course of my studies.  This will help me remember what I have seen, and hopefully those of you who are studying for various certifications or doing work in the field can use my findings for your daily activities.

My blog will also do some focusing on Skepticism as well.  I seem to use both skills in tandem, so while it may seem a bit incongruous, in their own little way, the two seem to relate in my life.

On we go!