Posts Tagged ‘nervi’

dynamic ike :-l:-l:-l

Posted: June 12, 2009 in technical
Tags: , ,

Pentru cine/ORIcine e dispus sa ajute un biet junior in ale vpn-ului 🙂

Scenariul in mare e Site-to-Site, cu certificate, IKEv1, versus NetScreen 5200 – 6.2.0r2. Identificarea peer-ilor vreau sa o fac cu ID_FQDN, deoarece urmeaza sa pun NAT intre locatii, si deci nu pot identifica peer-ii dupa IP 😛 In certificatele de pe Initiator am CN=peer$i, unde i e de la 1 la 30.

Pe NetScreen am create mai multe DynamicIKE peer-i pentru care am facut Identificare dupa CN=peer1 – primul gateway, CN=peer2 – al doilea gateway…samd.

In momentul in care prima cerere de tunel vine de la primul gateway (care are si certificat cu CN=peer1), NetScreen-ul trateaza cererea de tunel prin primul dynamic ike: anume cel care isi identifica peer-ul prin CN=peer1. Tunelul se creeaza corect.

Problema este ca, in momentul in care pe NetScreen ajunge a doua cerere de tunel, venita din partea peer-ul 2, care are in certificat CN=peer2, NetScreen-ul incearca sa trateze cererea tot prin primul dynamic ike (cel care astepta un peer cu CN=peer1). Evident, nu se gaseste niciun ID (see log attached below), iar Juniper-ul nici nu mai incearca sa trateze cererea pe al doilea dynamic ike (care chiar asteapta un peer cu CN=peer2) – si faileaza tunelul.

Cum trebuie sa configurez pe NetScreen, astfel incat fiecare dynamic ike sa trateze cererea de tunel corespunzatoare Identification-ului cu care a fost configurat: dynamic ike care asteapta CN=peer1 sa trateze cererile de tunel de la peer-ul care are in certificat CN=peer1, dynamic ike care asteapta CN=peer2 sa trateze cererile de tunel de la peer-ul care are in certificat CN=peer2 …samd

## 2009-06-12 18:40:28 : IKE<157.11.0.2> Found peer entry (1s2sRNAT1) from 157.11.0.2.
## 2009-06-12 18:40:28 : responder create sa: 157.11.0.2->170.2.0.1
## 2009-06-12 18:40:28 : init p1sa, pidt = 0x0
## 2009-06-12 18:40:28 : change peer identity for p1 sa, pidt = 0x0
## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   create peer identity 0x3b3afe1c
## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <1>
## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <2>
## 2009-06-12 18:40:28 : peer identity 3b3afe1c created.
## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   EDIPI disabled
## 2009-06-12 18:40:28 : IKE<157.11.0.2> getProfileFromP1Proposal->

–output omitted–

## 2009-06-12 18:40:28 : IKE<157.11.0.2> Found peer entry (1s2sRNAT1) from 157.11.0.2.

## 2009-06-12 18:40:28 : responder create sa: 157.11.0.2->170.2.0.1

## 2009-06-12 18:40:28 : init p1sa, pidt = 0x0

## 2009-06-12 18:40:28 : change peer identity for p1 sa, pidt = 0x0

## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>

## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   create peer identity 0x3b3afe1c

## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <1>

## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <2>

## 2009-06-12 18:40:28 : peer identity 3b3afe1c created.

## 2009-06-12 18:40:28 : IKE<0.0.0.0        >   EDIPI disabled

## 2009-06-12 18:40:28 : IKE<157.11.0.2> getProfileFromP1Proposal->

–output omitted–
Acel 1s2sRNAT1 indica dynamic peer-ul care asteapta o cerere de tunel cu certificat in care CN=peer1, nu peer2. 😦

Citat din User Guide-ul de NS5200_Complete, pagina 129, Dynamic IKE Gateways Using FQDN – mai exact pagina 132, acolo unde spune cum se configureaza Dynamic IKE Gateway-ul:

3. VPN

VPNs > AutoKey Advanced > Gateway > New: Enter the following, then click

OK:

Gateway Name: To_Paris

Security Level: Custom

Remote Gateway Type:

Static IP Address: (select), IP Address/Hostname: http://www.nspar.com

Do NOT do that!!! In felul asta gateway-ul apare disabled!!! no good, deci.

Pentru ca sa  mearga, se foloseste, in acelasi loc, evident, optiunea de “Dynamic IP address” (DYNAMIC, EVIDENT), numai ca neavand un IP dynamic, ci un peer cu IP dinamic, sau nat-at…oricum, necunoscut de NetScreen, pun aici DN-ul certificatului digital. Identificarea IPsec se face deci in ambele sensuri pe FQDN.

Ca sa vezi!!! ACUM MERGE!!! Ce greu era!

Note to myself: NEVER OBEY MANUALS AGAIN!

Pentru ca networking-ul e vai mama lui…

Dynamic IKE Gateway Using FQDN – asa cum zice la ND52_Complete_Guide. Una bucata initiator cu IP-uri dinamice, dar certificate valide si FQDN stiut, si NetScreen 5200 cu Gateway static.

Gateway-ul definit cu Static IP/Hostname: test. (FQDN)

vpn1 vpn21

Iar cand rulez testul: 

## 2009-06-04 13:14:31 : IKE<157.10.1.1> ike packet, len 112, action 1

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Catcher: received 84 bytes from socket.

## 2009-06-04 13:14:31 : IKE<157.10.1.1> ****** Recv packet if <ethernet2/2> of vsys <Root> ******

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Catcher: get 84 bytes. src port 500

## 2009-06-04 13:14:31 : IKE<0.0.0.0        >   ISAKMP msg: len 84, nxp 1[SA], exch 2[MM], flag 00

## 2009-06-04 13:14:31 : IKE<157.10.1.1     > Recv : [SA]

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Found peer entry (1s2sRNAT) from 157.10.1.1.

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Peer Gateway 1s2sRNAT is disabled, packet discarded

## 2009-06-04 13:14:31 : IKE<157.10.1.1> Rejected an initial Phase 1 packet from an unrecognized peer gateway.

Si pe buna dreptate. Dar de ce e disabled? Daca in loc de FQDN pun un IP static, gateway-ul devine activ…

unset key protection enable

set hardware wdt-reset

set clock timezone 0

set vrouter trust-vr sharable

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

unset auto-route-export

exit

unset alg sip enable

unset alg mgcp enable

unset alg sccp enable

unset alg sunrpc enable

unset alg msrpc enable

unset alg sql enable

unset alg appleichat enable

unset alg appleichat re-assembly enable

unset alg p2p enable

unset alg h323 enable

unset alg sctp enable

set auth-server “Local” id 0

set auth-server “Local” server-name “Local”

set auth-server “Local” timeout 0

set auth default auth server “Local”

set auth radius accounting port 1646

set admin name “netscreen”

set admin password “nKVUM2rwMUzPcrkG5sWIHdCtqkAibn”

set admin auth web timeout 0

set admin auth server “Local”

set admin format dos

set zone “Trust” vrouter “trust-vr”

set zone “Untrust” vrouter “trust-vr”

set zone “DMZ” vrouter “trust-vr”

set zone “VLAN” vrouter “trust-vr”

set zone “Untrust-Tun” vrouter “trust-vr”

set zone “Trust” tcp-rst

set zone “Untrust” block

unset zone “Untrust” tcp-rst

unset zone “V1-Trust” tcp-rst

unset zone “V1-Untrust” tcp-rst

set zone “DMZ” tcp-rst

unset zone “V1-DMZ” tcp-rst

unset zone “VLAN” tcp-rst

set zone “Untrust” screen tear-drop

set zone “Untrust” screen syn-flood

set zone “Untrust” screen ping-death

set zone “Untrust” screen ip-filter-src

set zone “Untrust” screen land

set zone “V1-Untrust” screen tear-drop

set zone “V1-Untrust” screen syn-flood

set zone “V1-Untrust” screen ping-death

set zone “V1-Untrust” screen ip-filter-src

set zone “V1-Untrust” screen land

set interface “ethernet2/1” zone “Trust”

set interface “ethernet2/2” zone “Untrust”

set interface “tunnel.1” zone “Untrust”

unset interface vlan1 ip

set interface mgt ip 10.205.17.233/24

set interface ethernet2/1 ip 171.253.253.1/24

set interface “ethernet2/1” ipv6 mode “router”

set interface “ethernet2/1” ipv6 interface-id 0000000000000001

set interface “ethernet2/1” ipv6 ip 5171::/32

set interface “ethernet2/1” ipv6 enable

set interface ethernet2/1 route

set interface ethernet2/2 ip 170.2.0.1/24

set interface “ethernet2/2” ipv6 mode “router”

set interface “ethernet2/2” ipv6 interface-id 0000000000000001

set interface “ethernet2/2” ipv6 ip 2001::/32

set interface “ethernet2/2” ipv6 enable

set interface ethernet2/2 route

set interface tunnel.1 ip unnumbered interface ethernet2/2

set interface “tunnel.1” ipv6 mode “router”

set interface “tunnel.1” ipv6 enable

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

unset interface vlan1 bypass-ipv6-others-ipsec

set interface vlan1 bypass-icmpv6-ndp

set interface vlan1 bypass-icmpv6-mld

unset interface vlan1 bypass-icmpv6-mrd

unset interface vlan1 bypass-icmpv6-msp

set interface vlan1 bypass-icmpv6-snd

set interface ethernet2/1 ip manageable

set interface ethernet2/2 ip manageable

unset interface ethernet2/1 manage ssh

unset interface ethernet2/1 manage telnet

unset interface ethernet2/1 manage snmp

unset interface ethernet2/1 manage ssl

unset interface ethernet2/1 manage web

set interface ethernet2/2 manage ping

set interface ethernet2/1 ipv6 ra link-address

set interface ethernet2/2 ipv6 ra link-address

unset interface tunnel.1 ipv6 ra link-address

set interface ethernet2/1 ipv6 nd nud

set interface ethernet2/2 ipv6 nd nud

set interface tunnel.1 ipv6 nd nud

set interface tunnel.1 ipv6 nd dad-count 0

unset flow no-tcp-seq-check

unset flow tcp-syn-check

set flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set console timeout 0

set dbuf size 4096

set dbuf usb filesize 0

set pki authority default cert-status revocation-check none

set pki authority default scep ca-cgi “http://10.205.17.185/certsrv/mscep/mscep.dll&#8221;

set pki authority default scep ra-cgi “http://10.205.17.185/certsrv/mscep/mscep.dll&#8221;

set pki authority default scep ca-id “IxVPN-CA”

set pki authority default scep mode “auto”

set pki x509 default cert-path partial

set pki x509 dn name “ns5200.”

set dns host dns1 0.0.0.0

set dns host dns2 0.0.0.0

set dns host dns3 0.0.0.0

set address “Trust” “1_6_tr” 6101::/16

set address “Trust” “1_tr” 61.0.0.0 255.0.0.0

set address “Untrust” “1UN_RNAT” 158.10.1.0 255.255.255.0

set ike gateway “1s2sRNAT” address test. Main outgoing-interface “ethernet2/2” preshare “DQA5YPdeNmwBLSs4dIC9Og7JA4naYzYizg==” proposal “rsa-g14-aes256-sha-360”

set ike gateway “1s2sRNAT” cert my-cert-hash BC1D04E0E20D4D05F776E30C34830ED9844DC79C

set ike gateway “1s2sRNAT” cert peer-ca-hash 7B236EFB192B6B5360CA7ECDE252191495E9A36B

set ike respond-bad-spi 1

set vpn “1-s2s-rnat” gateway “1s2sRNAT” no-replay tunnel idletime 0 proposal “g5-esp-aes256-sha-300”

set policy id 14001 name “1-TUs2s-rnat” from “Untrust” to “Trust”  “1UN_RNAT” “1_tr” “ANY” tunnel vpn “1-s2s-rnat” id 0x1773 pair-policy 14002

set policy id 14001

exit

set policy id 14002 name “1-TUs2s-rnat” from “Trust” to “Untrust”  “1_tr” “1UN_RNAT” “ANY” tunnel vpn “1-s2s-rnat” id 0x1773 pair-policy 14001

set policy id 14002

exit

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

unset add-default-route

set route 158.0.0.0/8 interface tunnel.1

set route 157.0.0.0/8 interface ethernet2/2 gateway 170.2.0.2

set route 61.10.0.0/16 interface ethernet2/1 gateway 171.253.253.3

exit

set vrouter “untrust-vr”

exit

set vrouter “trust-vr”

exit

de ce iubesc eu Cisco

Posted: June 3, 2009 in technical
Tags: , ,

Pentru ca, dupa ce faci un Enterprise CA cu toate bunatatile, configurezi si una bucata NetScreen sa faca enroll la acest CA; obtii si vreo 3000 de certificate pe NS si iti creezi tot atatea security gateways si totul e frumos si roz si are floricele…

Dai de un Cisco.si CISCO….nu doreste, domne, sa valideze peer-ii de NetScreen. nu vrea si pace. Da, refa enrollmentul, ca poate am ratat ceva, scoate revocation check-ul, refa cheile RSA..samd…samd. Ultimate solution: te gandesti, ca omul, ca poate CISCO chiar e de pomina…si nu ii place CA-ul. De ce m-as gandi la asta? Ei bine, pentru ca Enterprise-ul  meu, de bun simt, avea parametri de DC in Subject Name. Aaaahhhhh. Big mistake, Cristina!Big mistake, Cristina! Refa tot CA-ul, lasa in Subject numai CN-ul si da-i drumul la rulare. Ca sa vezi?! Now it works!

Buuun, acum refa PKI-ul pe Juniper, scoate CA-ul anterior, pune-l pe-ala nou, modifica in configuratie toate gateway-urile care au RSA cu noul thumbprint al CA-ului…samd. Uite asa devin eu expert in dat comenzi in CLI-ul de ScreenOS…cum s-ar spune…DIN DRAGOSTE…de CISCO…“Vedea-te-as la Babes, jigaraie indracita! gandesc eu, si prin mintea mea incepe sa treaca fel de fel de idei, care de care mai cruda si mai infama.”

penibil

Posted: May 28, 2009 in thoughts
Tags: , ,

Citeam pe Catavencu, cele mai noi articole. Unul dintre ele arata cum pitzi Monica kkkk Columbeanu a mers frumusel la shopping pentru dragul el iubit sot, ca doar, nah, din dragoste s-a maritat ea…sau asa sustinea acum ceva vreme 😛

Mi-a placut articolul lui Bendeac, in care o invita pe “doamna” Columbeanu sa-si bage ceasul (cumparat pentru sotul ei …iubit – de 60k euros…ceasul, nu “Iri”) in …partile dorsale. Iar ca sa-l citez:

EU ii transmit atat : Draga Monica, in numele profesorilor cu salarii intre 700 si 1500 de lei, in numele medicilor cu salarii intre 800 si 2000 de lei sau in numele actorilor cu salarii intre 540 si 1200 de lei, TE INVIT IN EMISIUNE CA SA-TI BAGI IN EXCLUSIVITATE CEASUL IN CUR…

VA PUP, VA IUBESC si VA RESPECT!

Eh, fiecare se descurca cum poate, nu? Sustin aceasta idee. Dar, felul in care ne descurcam arata si la ce nivel de moralitate/civilizatie/cultura ne gasim. Noi, ca societate, ca oameni, ca tara samd. 

Pana la urma, profitorii la putere! Nu? Profesorii, medicii, artistii…ce pana mea? Cine are nevoie de educatie? Sanatate? CULTURA???

—si dau Parazitii mai tare, in timp ce astept…cu NERABDARE…sa mi se aprobe permisul de munca in Australia— Adi Pircalabu – here I come! 🙂

uita-te pe fereastra

Posted: May 27, 2009 in thoughts
Tags: , ,

De la mine se vede parcul…

Soare, lumina, caldura, vara, VIATA. Pe vremea asta as merge in parc, as alerga printre copaci si flori, m-as bucura de soare si de caldura care-mi gadila pielea semi-bronzata.

Am tanjit dupa vremea asta toata iarna, strangand inca un pulover pe mine, dorind atat de mult sa pot iesi afara cu o rochie subtire pe mine.

Chiar trebuie sa fac 50000 de politici de rutare, in loc sa stau la soare, sa ma bucur de lumina si de caldura… Abia astept week-end-ul, vreau sa merg la padure, la un gratar, asa cum faceam cu prietenii  mei acum cativa ani, sau sa ma dau cu barca in Herastrau, sau sa mananc vata de zahar prin Cismigiu sau sa ma joc de-a v-ati ascunselea prin casutele de la Muzeul Taranului. M-am SATURAT de stat in casa, de parca afara m-ar astepta tot frig, ger, zapada, noroi samd.

art…mania

Posted: May 27, 2009 in thoughts
Tags: , ,

La Sibiu. In 2009: http://www.artmaniafestival.ro/

In 2009: My Dying Bride, Opeth, Tristania, Nightwish, Pain!!! In 2007 (parca) au fost Haggard, My Dying Bride, Anathema…

Pentru cei care se pot duce, go for it! My Dying Bride si Opeth chiar merita.

 

“Descult in Parc” – la Ion Dacian sau “Sase personaje in cautarea unui autor” – la Bulandra.

Sau “Vaduva vesela” – la Opereta. Sau “Privighetoarea si trandafirul” – la TNB.

 

Sau: who needs culture anyway… 😐

cygwin

Posted: May 21, 2009 in technical
Tags: ,

cand ai de adaugat functionalitate de nat-traversal pentru ipsec pentru jumatate din cele ~3000 de gateway-uri de pe un netscreen, fie ele cu auth psk sau rsa – in mod automat – ca doar nu esti nebun sa scrii de mana nebunia, cygwin does wonders

bine…asta cand nu stii vbs sau batching si esti blocat pe windoza

while… do

Posted: May 6, 2009 in media-culture, technical
Tags:

while bgp

do remember_good_times:

(Satyricon)

 

skinny

Posted: May 6, 2009 in technical, thoughts
Tags:

note: ce tare ar fi sa faca si distrusii de la Cisco o masinarie macar 50% compliant cu…orice! “orice” asta include si versiunile anterioare proprii de masini

4.58 AM: sau inca o noapte pierduta