Daily Archives: April 3, 2013

ipsec vpn tunnel…

asa_vpn_topo

before traffic, no security association…

asa_vpn_tun_before_traffic

host1 pings host2, notice the delay

host1_ping_success

asa1 is the intitiator…

asa1_sa_good

as2 is the responder…

asa2_sa_good

the capture…

asa_vpn_isakmp

the config… reverse as needed on the other end…

!asa1 vpn commands

!enable isakmp

crypto isakmp enable outside

!acl

access-list outside-crypto permit ip object inside-net object remote-net

!tunnel group

tunnel-group 22.1.1.1 type ipsec-l2l
tunnel-group 22.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 10 retry 2

!phase 1 (key exchange)

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 3600

!phase 2 (tunnel setup)

crypto ipsec transform-set TS esp-3des esp-sha-hmac
crypto map CMAP 1 match address outside-crypto
crypto map CMAP 1 set pfs group1
crypto map CMAP 1 set peer 22.1.1.1
crypto map CMAP 1 set transform-set TS

crypto map CMAP interface outside

!NAT (no nat)

nat (inside,outside) 1 source static inside-net inside-net destination static remote-net remote-net

Transform sets

from andrew mason:

IPSec Transforms

An IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its corresponding security algorithms and mode. Example transforms include the following:

  • The AH protocol with the HMAC with MD5 authentication algorithm in tunnel mode is used for authentication.
  • The ESP protocol with the triple DES (3DES) encryption algorithm in transport mode is used for confidentiality of data.

The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with SHA-1 authentication algorithm in tunnel mode is used for authentication and confidentiality.

Transform Sets

A transform set is a combination of individual IPSec transforms designed to enact a specific security policy for traffic. During the ISAKMP IPSec security association negotiation that occurs in IKE phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular data flow. Transform sets combine the following IPSec factors:

  • Mechanism for payload authentication—AH transform
  • Mechanism for payload encryption—ESP transform
  • IPSec mode (transport versus tunnel)

Transform sets equal a combination of an AH transform, plus an ESP transform, plus the IPSec mode (either tunnel or transport mode).

3.7.g Implement and troubleshoot AS path manipulations

3.7.g [iii] Regexp

grep has been around as long as unix which puts that back to the 70’s… grep means global regular expression parser, or in some references, global regular expression and print, and still others, globally replace and print…  basically, anytime you filter IOS output, you are using grep…

from my linux box:

arteq@arteq-p7-1254:~$ ls -al | grep gns
drwxrwxr-x 33 arteq arteq  4096 Mar 27 07:37 gns3save

and from a router…

r3#sh run | i router
router eigrp 101

using regular expressions for bgp in IOS is the same principal, it’s not magic, it’s unix conventions from way back…

on your nix box do “man grep”

GREP(1)                                                                GREP(1)

NAME
grep, egrep, fgrep, rgrep – print lines matching a pattern

SYNOPSIS
grep [OPTIONS] PATTERN [FILE…]
grep [OPTIONS] [-e PATTERN | -f FILE] [FILE…]

DESCRIPTION
grep  searches the named input FILEs (or standard input if no files are
named, or if a single hyphen-minus (-) is given as file name) for lines
containing  a  match to the given PATTERN.  By default, grep prints the
matching lines.

from cisco: http://www.cisco.com/en/US/docs/ios/12_2/termserv/configuration/guide/tcfaapre_ps1835_TSD_Products_Configuration_Guide_Chapter.html

General Concepts About Regular Expressions

A regular expression is entered as part of a command and is a pattern made up of symbols, letters, and numbers that represent an input string for matching (or sometimes not matching). Matching the string to the specified pattern is called pattern matching.