If only remembering it all was so easy…
(No Ratings Yet)
Loading ...Just a quick note on VPN with certificates. Most of you probably already know this but one very important piece to doing certificate authentication on your crypto tunnels is ensuring that the time is accurate. What would you think if you saw this error message in the logs?
*Aug 31 13:26:48.970: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
RSA keypair issues maybe? Not a chance…
…click here to read more
(1 votes, average: 5 out of 5) Loading ...SSL VPN on IOS for some reason is a pain in the butt to configure. I think the ASA config is much easier and faster. I guess once you’ve done it a few times they both are pretty easy. I did a basic config using clientless mode with some port forwards and local authentication. In this scenario I simply wanted to connect to R4 for telnet and ssh access.
Ill put out some thin and thick client configs later. For the clientless mode SSL config there are basically 3 things to remember.
aaa new-model
aaa authentication login default local
username bobjones password bobjones
webvpn gateway WebVPN_Gateway
hostname WebVPN_Gateway
ip address 192.168.40.2 port 443
http-redirect port 80
inservice
! Enables the Gateway. You will also notice that the RSA Key is automatically generated. If you want one that is exportable, you will need to create it yourself.
webvpn context WEBVPN_CONTEXT
!
port-forward "R4-Access"
local-port 2222 remote-server "192.168.4.4" remote-port 22 description "SSH to R4"
local-port 2323 remote-server "192.168.4.4" remote-port 23 description "Telnet to R4"
!
title "Welcome to wr-mem SSL VPN"
color Blue
secondary-color Green
text-color Gray
secondary-text-color Gold
policy group webvpn_policy
port-forward "R4-Access" auto-download
default-group-policy webvpn_policy
gateway WebVPN_Gateway domain wr-mem
! You must tie the context to a gateway. The domain parameter will allow you to differentiate this context from another. https://xxx.xxx.xxx.xxx/wr-mem
inservice
! Enables the context and also creates the PKI trustpoint along with the certificate.
exit
exit
(3 votes, average: 5 out of 5) Loading ...Thats right, Im going to do what most men would never attempt, what most people would deem impossible. I will configure GET VPN in 28 minutes or less. This will consist of 1 KS and 2 GMs using the following topology.
My friends always told me “Joe, your an animal. One day your going to try and configure something that will send you right over the edge.” Well I say bring it on. GET VPN is great and I want to tame the beast and use it my battle against the stuff I tend to have to battle sometimes.The networking world is serious business and only the true gladiators can thrive in it.
Now lets get back to reality. I didnt really configure in 28 minutes. Im not sure how long it took me because I wasnt timing myself. I did however successfully configure GET VPN in my own scenario. Im starting to like GET VPN a bit more. I understand how it works but now I just need to remember exactly what to configure. This is actually pretty easy stuff. I did my configuration using gns3 and a another handy little app called process lasso. My laptop seems to manage great with it. The GET VPN setup worked without a hitch. Here is the config:
1. Configure the phase 1 policy
crypto isakmp policy 10
auth pre-share
encry 3des
hash md5
group 2
2. Configure preshare keys for all group members
crypto isakmp key cisco address 192.168.0.2
crypto isakmp key cisco address 192.168.3.1
3. Confiure IPSec transform set and profile
crypto ipsec transform-set trans_gdoi esp-3des esp-sha-hmac
crypto ipsec profile ipsec_gdoi_profile
set transform-set trans_gdoi
4. Configure the match ACL. This should be as generic as possible to ensure you cover all of the GMs. (100 entry limit)
access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.12.0 0.0.0.255
5. Configure GDOI Group
crypto key gen rsa general-keys label getvpn_rekey mod 1024 exportable
! This is for rekeys <KEK>
! Below is the Key Server config
crypto gdoi group group_getvpn
identity number 1111
server local
rekey transport unicast
rekey authentication mypubkey rsa getvpn_rekey
sa ipsec 1
profile ipsec_gdoi_profile
match address ipv4 100
address ipv4 192.168.0.1