Monthly Archives: December 2007

Fedora 7 to 8

As it’s quiet at work (due to the usual x-mas madness) I decided on Friday to upgrade from Fedora 7 to 8, now this was a bit of a risk for me since I have F7 running perfectly. The fedora release notes advise a clean install over an upgrade, so it’s important when you do this to backup /etc so that you can restore anything you need later.

As with all fedora installs it’s always two steps forward and one step back, my reasons for upgrading were:

Unfortunately so far I’ve had a couple of issues (my steps back),

It’s a shame that beagle still doesn’t index my evolution exchange account other than that all looks good, the wallpaper that changes on the time of day is a neat feature; I recommend the following resources to anyone looking to upgrade or use fedora.

Cisco VPN 3k Config for iPhone

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

The key to getting this working is that the iphone side is not as configurable as it should be, so if you’re trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn’t support group authentication, so you’re going to be changing the base group, now by default most “production” groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn’t effect your other L2L or Remote Access tunnels. (You have been warned.)

To get started, for whatever reason the iphone only supports cisco’s NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you’re going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn’t enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under “conf t” issue:

crypto ipsec nat-transparency udp-encapsulation

So, back to the cVPN3k config……


Configuration -> Tunnel & Security -> NAT Transparency
IPSEC over NAT-T - TICK

So a quick explanation of the above so you get the idea; from the tree on the left, click “Configuration” then “Tunnel & Security” then “NAT Transparency” and tick the box next to NAT-T.

Now you need to setup your PHASE 1 Proposal…

Config -> Tunnel & Sec -> IPSEC -> IKE Proposal

I called mine iphone, and you need to configure the following settings.

  • Authentication: Preshared Key (NOT the one with Xauth)
  • Hash: SHA-1
  • Encryption: 3DES
  • DiffeHelmen: Group 2

After phase one, comes PHASE 2:

Config -> Policy Manage -> Traffic Mgnt -> SA

Again, add the following settings and I called mine: iphone

  • Authentication: ESP / SHA
  • Encryption: 3DES
  • Enacapsulation: Transport
  • IKE Proposal = iphone (or whatever your phase 1 was called)

Then finally we start working with the groups, so as mentioned above you need to work with the base group:

Config -> User Management -> Base Group

And you need to enable the following, the other settings will be optional:

On the Base Group Tab,

  • Tunnel Protocol: Tick “L2TP over IPSec”

On the IPSEC Tab,

  • Authentication: Internal or NT depending on what you’ve already configured for other Remote Access Profiles.
  • IPSEC SA is set to: iphone
  • Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)

On the PPTP/L2TP Tab,

  • L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
  • L2TP Encryption: Tick 40 & 128 B

DONE! Now with a little bit of luck your iphone should connect.

A Quick note about comments: All support requested will be deleted, I don’t have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.

Fixing Some Life Irritating Bugs….

As Christmas draws closer, time becomes more of a premium, as a result blog activity suffers… I’ve thought about using twitter for my blog category, in the mean-time I’m using it with googletalk & facebook, so we’ll see if that develops.

I’ve had a chance to fix some annoying bugs with my laptop/life, and thought I’d share them here, they’ll pop-up in delicious when I get a chance to go thought my shared list, but until then here are some links….

Fedora: Java Clobbers/Breaks File Associations in Gnome/Nautilus
Gmail: Can’t enable IMAP, because it’s not available in UK English.
WMA to MP3: Converted some old tracks I found in a backup.
Gnome: Changed the colour of tooltips as doing it in the theme file didn’t work
Eye Candy: Fixed my CPU Temp Gauge (by typing sensors-detect, and following the instructions!)

Enjoy!

PKI: Cisco Routers as a Certificate Authority

I’ve had a new request in recently, as part of a move to SCEP + Certificates (away from pre-shared keys) a customer has asked if we could use the PKI CA build into Cisco’s router IOS. Now is this is a new idea to me; in the past people have either “plumped” for Microsofts CA implementation or cooked something up themselves with openssl.

Cisco’s IOS Security Guide (you may need a CCO Login) clearly states that it’s possible and that it supports SCEP auto-enrolment, so I thought I’d give it a go!

I don’t have any routers available at the moment, but I’ve been able to get things tested within gns3 ( gns3 screen shot). What I’ve done is setup a basic implementation, I have a router called “CA” which would be the root certificate authority, which would typically be on the inside of your network; then I have a router called “VPN_A“, this router would be the HQ VPN Termination device, it would be where all the remote (or branch) routers connect to, this router is configured with SCEP and is able to HTTP download the CRL from CA. The final router is “VPN_B” this router has been enrolled manually with a “copy / paste” and does not have HTTP Access to the CA, below is a screen shot of what I’ve done.

Example configs and a .net config file, which can be imported into gns3 (with a little tweaking) are available in my cisco directory, hopefully these examples give enough detail on how to manually or automatically enroll the routers and setup and IPSEC VPN, obviously they’re not complete configs (no usernames & pass’s set for a start) but there should be enough for someone to integrate this into their existing templates.