Rogierm's Blog » cisco

Cisco IPSec VPN with certificates in OSX Lion

admin — Mon, 31 Oct 2011 13:13:43 +0000

Since the Cisco VPN client does not work under OSX Lion anymore there was no easy way to connect with certificate authentication. It took some time but I managed to get it working under Lion with the build in VPN Client. Find the steps below to get the certificates imported and working with the VPN Client.

Create key: openssl genrsa -des3 -out vpn-cert2.key 1024
Create CSR (make sure that the CN is a simple name, no spaces or special characters): openssl req -new -key vpn-cert2.key -out vpn-cert2.csr
Request certificate with your CA
Create a p12 file from the key and the certificate: openssl pkcs12 -export -inkey vpn-cert2.key -in certnew-3.cer -out vpn.p12
Import the p12 file (containing the key and certificate) in the system keychain (not the login keychain, that doesn’t work): sudo security import vpn.p12 -k /Library/Keychains/System.keychain
If needed you can import the CA in your keychain and trust the imported certificate: sudo security add-trusted-cert -k /Library/Keychains/System.keychain root.ca.pem
Note:Make sure that if you import your own CA, that you do it this way. Otherwise the VPN server certificate will not be verified correctly.

To use the certificate for VPN authentication do the following:

Open System Preferences
Go to Network
Click + to add network interface, Select Interface: VPN, VPN Type: Cisco IPSec
Click Create
In the Server Address type the hostname of the firewall. This is really important. The firewall has a certificate configured on the FQDN. Make sure the server address is the name of the certificate in the firewall. This FQDN can be found in the trustpoint configuration (see below)
Enter the username
Click Authentication Settings
Select Certificate and Click Select
Select the correct certificate that you just imported
Click OK
Click Apply

When you are not able to select the certificate you created the problem is that the CN is not supported. Make sure the CN that you used to create the CSR does not contain spaces or special characters.

Firewall trustpoint config:
crypto ca trustpoint CA1 enrollment terminal fqdn fw.xxxx.com subject-name CN=fw.xxxx.com,OU=IT,O=XXX Limited,C=NL,St=NH,L=Amsterdam

Cisco switch and Tacacs

admin — Thu, 14 Jan 2010 21:12:50 +0000

Tacacs is a great way to centralize user authentication, authorization and accounting. While tacacs originally is a Cisco thing, there is an open source server version available, tac_plus (http://www.gazi.edu.tr/tacacs/index.php?page=download). Installing the tacacs server is quite straight forward. Configuring the switch is not difficult either, as long as you think about possible failures. You don’t want to be locked out of your switches when your tacacs server is not available. I use the following configuration that uses two tacacs servers and asks for the enable password when neither of the tacacs servers is available. To enter ‘enable’ mode, the configured enable password suffices. Use the following Cisco configuration for a save AAA authentication.

NOTE: Always be careful when changing authentication and authorization configuration, as this might lock you out of the device. The savest way is to do this on the console of the machine.

aaa new-model aaa authentication login default group tacacs+ enable aaa authentication enable default enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common tacacs-server host 1.1.1.1 single-connection tacacs-server host 2.2.2.2 single-connection tacacs-server key TACACSKEY tacacs-server directed-request
To restrict access to specific devices, you can configure an ACL in the tacacs configuration on the server (tac_plus.conf). See the example below.

user = username { login = des "XXXX" member = admin acl = mgmt_devices service = shell { priv-lvl = 15 } } group = admin { default service = permit service = exec { priv-lvl = 15 } } # acl's

acl = mgmt_devices { permit = 12.12.12.12 permit = 13.13.13.13 }

Cisco ASA IPv6 failover not supported

admin — Fri, 24 Jul 2009 12:50:36 +0000

Due to the shortage of IPv4 IP addresses, we will run out of IPv4 some day in the near future (approx. 699 days from now, http://inetcore.com/project/ipv4ec/index_en.html). To be prepared for this we are experimenting with IPv6. We got a /32 allocated by RIPE, and are currently preparing a live network to connect some services via native IPv6 to the internet. While reviewing the IPv6 capabilities of the network equipment we use, I found out that Cisco ASA/Pix does not support failover when running IPv6. For details on this matter please see the following links:

http://www.v4tov6.com/2009/06/cisco-asa-ipv6-failover-update.html
http://v4tov6.com/2008/11/cisco-asa-ipv6-failover.html
http://forums.cabling-design.com/cisco/Re-PIX-IPv6-Failover-bug-4167-.htm

This failover support seems to be lacking for some time now, and is still missing in the latest release. I’ve notified our sales rep. at Cisco about this. Personally I think this is quite a serious issue, as failover is a essential part of building serious infrastructures. I hope Cisco will see that this feature should be implemented as soon as possible.

If you consider this a serious issue as well, I recommend you notify your Cisco contact. Also leave a comment, just because I’m wondering how many people think this is a problem

06 april 2010: Cisco released ASA version 8.3 which solves this problem: http://www.networkworld.com/community/node/58537

restrict commands for rancid using tacacs

admin — Thu, 23 Jul 2009 14:38:33 +0000

When using rancid you have to store the username and password in a text file. When you don’t want to give the user privilege level 15 you have to store the enable password as well. Tacacs with authorization is the best solution to restrict access for the rancid user. Since the rancid user doesn’t need to change any configuration on the network devices, you can restrict the commands it is allowed to run.

When using tac_plus (http://www.shrubbery.net/tac_plus/) you can use the following definition for the rancid user:
user = rancid { # default service = permit login = cleartext "XXX" enable = cleartext "XXX" name = "Rancid User" service = exec { priv-lvl = 15 } cmd = show { permit .* } cmd = write { permit term } cmd = dir { permit .* } cmd = admin { permit .* } cmd = more { permit .* }

}

user = rancid {

# default service = permit

enable = cleartext “raNc1d_3naB1e”

name = “Rancid User”

service = exec {

priv-lvl = 15

}

cmd = show {

permit .*

}

cmd = write {

permit term

}

cmd = dir {

permit .*

}

cmd = admin {

permit .*

}

The rancid user is automatically in enable mode because the privilege level is set to 15 in tacacs. You have to configure rancid no to enter enable mode. This is configured (for cisco devices) in ~rancid/.cloginrc

Enter the following details:
add user * rancid add password * XXX add method * telnet add autoenable * 1