How to Configure EIGRP Named Mode Authentication

 Networking, Security  Comments Off on How to Configure EIGRP Named Mode Authentication
Sep 282022
 

Configure EIGRP Named Mode Authentication

In this lab, we’ll configure authentication when running EIGRP in named mode.

While classic mode EIGRP offers only MD5 authentication, named mode EIGRP offers both MD5 and HMAC-SHA-256 authentication.

HMAC-SHA-256 authentication is, of course, the more secure version.

By the way, we can configure authentication between two routers with one running in EIGRP classic mode and the other in EIGRP named mode.

But both would have to use the MD5 authentication mode because EIGRP classic mode does not support HMAC-SHA-256.

Why EIGRP Authentication?

Authentication is essentially a security mechanism to prevent undesirable consequences in the network.

EIGRP router authentication ensures that unauthorized or rogue routers do not become neighbors with other corporate routers.

Unauthorized routers can result in invalid routes and in the worst case scenario lead to data loss or denial of service.

What Our Configuration Looks Like

In our setup, we have three routers: R1, R2 and R3.

All of the routers are running EIGRP in named mode.

Between routers R1 and R2, we’ll be configuring MD5 authentication using a key chain.

Key chain does not need to be same on both routers but the Key ID and Key String must be same for both R1 and R2 routers.

Subsequently, we’ll go in for HMAC-SHA-256 authentication between R2 and R3.

HMAC-SHA-256 authentication can be done both without and with a key chain.

Most HMAC-SHA-256 authentication configurations that I have come across do not include a key chain.

Apparently, the key chain feature is not necessary if you’re going with HMAC-SHA-256 authentication.

Between R2 and R3, we’ll first do HMAC-SHA-256 authentication without a key chain and follow it up by adding a key chain to the configuration.

Following the two modes of authentication, we’ll run a bunch of Verify commands to ensure our goals are met.

Configure EIGRP Named Mode Authentication

We’ve configured the IP addresses on the three routers.

IP addresses have already been configured and you can check them by looking at the topology (see at top of this post).

Once again, all three routers are running EIGRP in named mode.
====================
Configure MD5 Authentication between R1 and R2
R1 Configuration
conf t
key chain ROMEO
key 1
key-string Cisco@123
exit
!
router eigrp TESTING
address-family ipv4 unicast autonomous-system 123
network 10.11.1.1 0.0.0.0
!
af-interface gig0/0
authentication mode md5
authentication key-chain ROMEO
!
exit-af-interface
exit-address-family

R2 Configuration
conf t
key chain ROMEO
key 1
key-string Cisco@123
exit
!
router eigrp NESTING
address-family ipv4 autonomous-system 123
network 10.11.1.2 0.0.0.0
network 10.12.1.1 0.0.0.0
!
af-interface gig0/1
authentication mode md5
authentication key-chain ROMEO
exit
! Configuring HMAC-SHA-256 Authentication between R2 and R3
af-interface gig0/2
authentication mode hmac-sha-256 7 Password@1
exit-af-interface
exit-address-family
exit
!
R3 Configuration
conf t
router eigrp PESTING
address-family ipv4 autonomous-system 123
network 10.12.1.2 0.0.0.0
! HMAC-SHA-256 Authentication between R3 and R2
af-interface gig0/3
authentication mode hmac-sha-256 7 Password@1
exit-af-interface
exit-address-family
exit

As you can see above, we’ve not configured a key chain for HMAC-SHA-256 authentication between R2 and R3.

Verify EIGRP Authentication

Having completed the configurations, let’s run a bunch of verify commands.

Verify MD5 Authentication between R1 and R2
R1#sh ip eigrp int detail gig0/0
EIGRP-IPv4 VR(TESTING) Address-Family Interfaces for AS(123)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0 1 0/0 0/0 1594 0/0 7972 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial
Packetized sent/expedited: 2/0
Hello’s sent/expedited: 92/2
Un/reliable mcasts: 0/2 Un/reliable ucasts: 2/2
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 1 Out-of-sequence rcvd: 0
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “ROMEO”
Topologies advertised on this interface: base
Topologies not advertised on this interface:

Verify HMAC-SHA-256 Authentication between R2 and R3
R2#sh ip eigrp int detail gig0/2
EIGRP-IPv4 VR(NESTING) Address-Family Interfaces for AS(123)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/2 1 0/0 0/0 0 0/0 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial
Packetized sent/expedited: 1/0
Hello’s sent/expedited: 103/2
Un/reliable mcasts: 0/1 Un/reliable ucasts: 3/3
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 2 Out-of-sequence rcvd: 0
Topology-ids on interface – 0
Authentication mode is HMAC-SHA-256, key-chain is not set
Topologies advertised on this interface: base
Topologies not advertised on this interface:

Check Key Chain on R1
R1#show key chain
Key-chain ROMEO:
key 1 — text “Cisco@123”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]

Check Key Chain on R2
R2#show key chain
Key-chain ROMEO:
key 1 — text “Cisco@123”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]

Adding Key Chain on R2 and R3 (HMAC-SHA-256 mode)

R2 Configuration
conf t
key chain JULIET-CHAIN
key 2
key-string Bisco@123
exit
!
router eigrp NESTING
address-family ipv4 autonomous-system 123
af-interface gig0/2
authentication key-chain JULIET-CHAIN
exit

R3 Configuration
conf t
key chain JULIET-CHAIN
key 2
key-string Bisco@123
exit
!
router eigrp PESTING
address-family ipv4 autonomous-system 123
af-interface gig0/3
authentication key-chain JULIET-CHAIN
exit
=================
Verify R2 with HMAC-SHA-256 AND Key Chain
R2#show ip eigrp int detail gig0/2
EIGRP-IPv4 VR(NESTING) Address-Family Interfaces for AS(123)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/2 1 0/0 0/0 10 0/0 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial
Packetized sent/expedited: 2/0
Hello’s sent/expedited: 1518/3
Un/reliable mcasts: 0/2 Un/reliable ucasts: 5/4Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 2 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is HMAC-SHA-256, key-chain is “JULIET-CHAIN”
Topologies advertised on this interface: base
Topologies not advertised on this interface:

Verify Authentication on R3 AFTER Adding Key Chain
R3#show key chain
Key-chain JULIET-CHAIN:
key 2 — text “Bisco@123”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]

How to Configure DMVPN

 Networking, Security  Comments Off on How to Configure DMVPN
Sep 232022
 

DMVPN Configuration

Dynamic Multipoint Virtual Private Network (DMVPN) owes its popularity to two primary reasons: scalability and simplicity of configuration.

In large organizations with lots of branches, configuring dozens of point-to-point VPN tunnels is an error-prone and cumbersome exercise.

So Cisco introduced the DMVPN technology nearly two decades ago.

DMVPN finds favor for another reason: It supports all routing protocols except IS-IS.

DMVPN Foundation Technologies

* Next Hop Resolution Protocol (NHRP): A layer 2 resolution protocol and cache used in DMVPN to map a tunnel IP address to an Non-Broadcast Multicast (NBMA) public IP address.
* Multipoint GRE (mGRE) interface: A single GRE interface that supports multiple GRE/IPsec tunnels and endpoints; also unlike with regular GRE, we do not define a tunnel destination with mGRE tunnels.
* IPsec: For protecting the DMVPN tunnels; both IKEv1 and IKEv2 are supported; DMVPN can be deployed without IPsec encryption but why would you want to.

Over the years, DMVPN has evolved through three phases but the current focus is only on Phase 3.

DMVPN – Phase 3 Configuration

In our topology (see at the top of this post), the IP addresses of the routers and PCs have already been configured.

You can check the IP address, Network ID, Subnet Mask and Interface IDs in the topology diagram.

So we’ll get straight down to DMVPN and IPsec configuration.

Toward the end of this post, we’ll run a few show commands.

! DMVPN Configuration
HQ is our Hub router and Branch A, Branch B and Branch C are the Spoke routers.

! HQ Router
! Configure Default Static Route on HQ Router
conf t
ip route 0.0.0.0 0.0.0.0 20.1.1.2
exit

!mGRE Configuration on HQ (Hub) Router
Configure Tunnel
conf t
interface tunnel 0
ip address 172.16.10.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig0/0
tunnel mode gre multipoint

tunnel key 123
no shut
exit

! Configuring NHRP on Tunnel Interfaces of HQ Router
interface tunnel 0
ip nhrp network-id 1
ip nhrp authentication Cisco567

ip nhrp map multicast dynamic
ip nhrp redirect
exit

!Configure Dynamic Routing
router eigrp 5
network 172.16.10.0 0.0.0.255
no auto-summary
end

! Configure EIGRP Hop Issues on HQ (Hub) Router
conf t
interface tunnel 0
no ip next-hop-self eigrp 5
no ip split-horizon eigrp 5
exit
============================
Let’s configure the Spoke Routers (aka Branch Routers) now.

! Branch-A Router Configuration
Configure Default Static Route to ISP Router
conf t
ip route 0.0.0.0 0.0.0.0 30.1.1.2
end

!mGRE Configuration on Branch-A
Configure Tunnel on Branch A
conf t
interface tunnel 0
ip address 172.16.10.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source g0/1
tunnel mode gre multipoint

tunnel key 123
no shut

! Configuring NHRP Inside the Tunnel Interfaces
conf t
interface tunnel 0

ip nhrp network-id 1
ip nhrp authentication Cisco567
ip nhrp map 172.16.10.1 20.1.1.1
ip nhrp map multicast 20.1.1.1
ip nhrp nhs 172.16.10.1

ip nhrp shortcut
exit

! Configure Dynamic Routing (Tunnel & LAN)
conf t
router eigrp 5
network 172.16.10.0 0.0.0.255
network 192.168.1.0 0.0.0.255
no auto-summary
end
============================
! Branch-B Router Configuration
Configure Default Static Route to ISP Router
conf t
ip route 0.0.0.0 0.0.0.0 40.1.1.2
end

!mGRE Configuration on Branch-B
Configure Tunnel
conf t
interface tunnel 0
ip address 172.16.10.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source gig0/2
tunnel mode gre multipoint

tunnel key 123
no shut
exit

! Configuring NHRP on Tunnel Interfaces
interface tunnel 0
ip nhrp network-id 1
ip nhrp authentication Cisco567

ip nhrp map 172.16.10.1 20.1.1.1
ip nhrp map multicast 20.1.1.1
ip nhrp nhs 172.16.10.1

ip nhrp shortcut
exit

! Configure Dynamic Routing (Tunnel & LAN)
router eigrp 5
network 192.168.2.0 0.0.0.255
network 172.16.10.0 0.0.0.255
no auto-summary
end
============================
! Branch-C Router Configuration
Configure Default Static Route to ISP Router
conf t
ip route 0.0.0.0 0.0.0.0 50.1.1.2

!mGRE Configuration on Branch-C
Configure Tunnel
interface tunnel 0
ip address 172.16.10.4 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source g0/3
tunnel mode gre multipoint
sh ip int br
tunnel key 123
no shut
exit

! Configuring NHRP on the Tunnel Interfaces
interface tunnel 0

ip nhrp network-id 1
ip nhrp authentication Cisco567

ip nhrp map 172.16.10.1 20.1.1.1
ip nhrp map multicast 20.1.1.1
ip nhrp nhs 172.16.10.1

ip nhrp shortcut
exit

! Configure Dynamic Routing (Tunnel & LAN)
router eigrp 5
network 192.168.3.0 0.0.0.255
network 172.16.10.0 0.0.0.255
no auto-summary
end
============================

IPsec Configuration

Let’s now work on the IPsec configuration on the Hub and Spokes.

Apply IPSec Configuration to Routers
HQ Router
conf t
crypto isakmp policy 25
hash sha256
authentication pre-share
group 16
encryption aes 256
exit

crypto isakmp key Cisco123! address 0.0.0.0 0.0.0.0
crypto ipsec transform-set JACK esp-aes 256 esp-sha256-hmac
exit

crypto ipsec profile JAN-2022
set transform-set JACK

interface tunnel 0
tunnel protection ipsec profile JAN-2022

Branch-A Router
conf t
crypto isakmp policy 25
hash sha256
authentication pre-share
encryption aes 256
group 16
exit

crypto isakmp key Cisco123! address 0.0.0.0 0.0.0.0
crypto ipsec transform-set JACK esp-aes 256 esp-sha256-hmac
exit

crypto ipsec profile JAN-2022
set transform-set JACK
exit

interface tunnel 0
tunnel protection ipsec profile JAN-2022
exit
===================================
Branch-B Router
conf t
crypto isakmp policy 25
hash sha256
authentication pre-share
encryption aes 256
group 16
exit

crypto isakmp key Cisco123! address 0.0.0.0 0.0.0.0
crypto ipsec transform-set JACK esp-aes 256 esp-sha256-hmac
exit

crypto ipsec profile JAN-2022
set transform-set JACK
exit

interface tunnel 0
tunnel protection ipsec profile JAN-2022
exit
===================================
Branch-C Router
conf t
crypto isakmp policy 25
hash sha256
authentication pre-share
encryption aes 256
group 16
exit

crypto isakmp key Cisco123! address 0.0.0.0 0.0.0.0
crypto ipsec transform-set JACK esp-aes 256 esp-sha256-hmac
exit

crypto ipsec profile JAN-2022
set transform-set JACK
exit

interface tunnel 0
tunnel protection ipsec profile JAN-2022
exit
===================================

Verify DMVPN/IPsec

Let’s run a bunch of show commands now.

Branch-A#show dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
T1 – Route Installed, T2 – Nexthop-override
C – CTS Capable
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–

1 20.1.1.1 172.16.10.1 UP 00:11:18 S

Two Trace Route Tests
In the first trace route test, we notice that PC1 goes via the Hub, i.e., HQ router but in the second Ping we see the direct Spoke-to-Spoke communication.

Trace Route Test 1
PC1> trace 192.168.3.3
trace to 192.168.3.3, 8 hops max, press Ctrl+C to stop
1 192.168.1.1 9.130 ms 4.943 ms 3.239 ms
2 172.16.10.1 28.634 ms 26.395 ms 24.367 ms
3 172.16.10.4 55.470 ms 56.578 ms 51.083 ms
4 *192.168.3.3 92.779 ms (ICMP type:3, code:3, Destination port unreachable)

Trace Route Test 2
PC1> trace 192.168.3.3
trace to 192.168.3.3, 8 hops max, press Ctrl+C to stop
1 192.168.1.1 5.135 ms 4.122 ms 4.057 ms
2 172.16.10.4 30.269 ms 22.106 ms 15.984 ms
3 *192.168.3.3 20.189 ms (ICMP type:3, code:3, Destination port unreachable)

Branch-A#show dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
T1 – Route Installed, T2 – Nexthop-override
C – CTS Capable
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
—– ————— ————— —– ——– —–
1 20.1.1.1 172.16.10.1 UP 00:12:21 S
2 50.1.1.1 172.16.10.4 UP 00:00:22 DT1
172.16.10.4 UP 00:00:22 DT2

Branch-A#show ip nhrp shortcut
172.16.10.4/32 via 172.16.10.4
Tunnel0 created 00:03:59, expire 01:56:01
Type: dynamic, Flags: router nhop rib
NBMA address: 50.1.1.1
192.168.3.0/24 via 172.16.10.4
Tunnel0 created 00:03:58, expire 01:56:00
Type: dynamic, Flags: router rib nho
NBMA address: 50.1.1.1
Branch-A#

Branch-A#show dmvpn detail
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
T1 – Route Installed, T2 – Nexthop-override
C – CTS Capable
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.16.10.2, VRF “”
Tunnel Src./Dest. addr: 30.1.1.1/MGRE, Tunnel VRF “”
Protocol/Transport: “multi-GRE/IP”, Protect “JAN-2022”
Interface State Control: Disabled
nhrp event-publisher : Disabled

IPv4 NHS:
172.16.10.1 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 3

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
—– ————— ————— —– ——– —– —————–
1 20.1.1.1 172.16.10.1 UP 00:20:03 S 172.16.10.1/32
2 50.1.1.1 172.16.10.4 UP 00:08:05 DT1 172.16.10.4/32
50.1.1.1 172.16.10.4 UP 00:08:05 DT2 192.168.3.0/24
1 30.1.1.1 172.16.10.2 UP 00:08:05 DLX 192.168.1.0/24
Crypto Session Details:
——————————————————————————–
Interface: Tunnel0
Session: [0x10D7B838]
Session ID: 0
IKEv1 SA: local 30.1.1.1/500 remote 20.1.1.1/500 Active
Capabilities:(none) connid:1001 lifetime:23:39:54
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 20.1.1.1
IPSEC FLOW: permit 47 host 30.1.1.1 host 20.1.1.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec’ed 279 drop 0 life (KB/Sec) 4286401/2395
Outbound: #pkts enc’ed 280 drop 0 life (KB/Sec) 4286401/2395
Outbound SPI : 0x46732BB6, transform : esp-256-aes esp-sha256-hmac
Socket State: Open

Interface: Tunnel0
Session: [0x10D7B930]
Session ID: 0
IKEv1 SA: local 30.1.1.1/500 remote 50.1.1.1/500 Active
Capabilities:(none) connid:1002 lifetime:23:51:54
Session ID: 0
IKEv1 SA: local 30.1.1.1/500 remote 50.1.1.1/500 Active
Capabilities:(none) connid:1003 lifetime:23:51:54
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 50.1.1.1
IPSEC FLOW: permit 47 host 30.1.1.1 host 50.1.1.1
Active SAs: 4, origin: crypto map
Inbound: #pkts dec’ed 9 drop 0 life (KB/Sec) 4260667/3114
Outbound: #pkts enc’ed 8 drop 0 life (KB/Sec) 4260667/3114
Outbound SPI : 0x2DE78CC7, transform : esp-256-aes esp-sha256-hmac
Socket State: Open

Pending DMVPN Sessions:
Branch-A#

Ping Tests

Let’s run a couple of pings to verify reachability.

PC1> ping 192.168.3.3
84 bytes from 192.168.3.3 icmp_seq=1 ttl=62 time=33.569 ms
84 bytes from 192.168.3.3 icmp_seq=2 ttl=62 time=20.158 ms
84 bytes from 192.168.3.3 icmp_seq=3 ttl=62 time=25.318 ms
84 bytes from 192.168.3.3 icmp_seq=4 ttl=62 time=21.351 ms
84 bytes from 192.168.3.3 icmp_seq=5 ttl=62 time=23.523 ms

PC1> ping 192.168.2.3

84 bytes from 192.168.2.3 icmp_seq=1 ttl=61 time=75.934 ms
84 bytes from 192.168.2.3 icmp_seq=2 ttl=62 time=23.839 ms
84 bytes from 192.168.2.3 icmp_seq=3 ttl=62 time=21.544 ms
84 bytes from 192.168.2.3 icmp_seq=4 ttl=62 time=21.184 ms
84 bytes from 192.168.2.3 icmp_seq=5 ttl=62 time=21.815 ms

Branch-A#sh ip route next-hop-override | section H|%
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override, p – overrides from PfR
H 172.16.10.3/32 is directly connected, 00:00:47, Tunnel0
H 172.16.10.4/32 is directly connected, 00:27:45, Tunnel0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D % 192.168.2.0/24 [90/28160256] via 172.16.10.3, 00:39:43, Tunnel0
[NHO][90/255] via 172.16.10.3, 00:00:47, Tunnel0
D % 192.168.3.0/24 [90/28160256] via 172.16.10.4, 00:39:43, Tunnel0
[NHO][90/255] via 172.16.10.4, 00:27:45, Tunnel0
Branch-A#

Verify Routing on Branch A & HQ Routers
Check Branch A Routing
Branch-A#show ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override, p – overrides from PfR
Gateway of last resort is 30.1.1.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 30.1.1.2
30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 30.1.1.0/24 is directly connected, GigabitEthernet0/1
L 30.1.1.1/32 is directly connected, GigabitEthernet0/1
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Tunnel0
L 172.16.10.2/32 is directly connected, Tunnel0
H 172.16.10.3/32 is directly connected, 00:00:02, Tunnel0
H 172.16.10.4/32 is directly connected, 00:00:31, Tunnel0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.1/32 is directly connected, GigabitEthernet0/0
D % 192.168.2.0/24 [90/28160256] via 172.16.10.3, 02:48:52, Tunnel0
D % 192.168.3.0/24 [90/28160256] via 172.16.10.4, 02:48:52, Tunnel0

Verify HQ Routing
HQ#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override, p – overrides from PfR

Gateway of last resort is 20.1.1.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 20.1.1.2
20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 20.1.1.0/24 is directly connected, GigabitEthernet0/0
L 20.1.1.1/32 is directly connected, GigabitEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Tunnel0
L 172.16.10.1/32 is directly connected, Tunnel0
D 192.168.1.0/24 [90/26880256] via 172.16.10.2, 02:52:53, Tunnel0
D 192.168.2.0/24 [90/26880256] via 172.16.10.3, 02:52:53, Tunnel0
D 192.168.3.0/24 [90/26880256] via 172.16.10.4, 02:52:53, Tunnel0

Examine IP NHRP on Branch A & HQ Routers
Branch-A#sh ip nhrp brief
****************************************************************************
NOTE: Link-Local, No-socket and Incomplete entries are not displayed
****************************************************************************
Legend: Type –> S – Static, D – Dynamic
Flags –> u – unique, r – registered, e – temporary, c – claimed
a – authoritative, t – route
============================================================================

Intf NextHop Address NBMA Address
Target Network T/Flag
——– ——————————————- —— —————-
Tu0 172.16.10.1 20.1.1.1
172.16.10.1/32 S/
Tu0 172.16.10.3 40.1.1.1
172.16.10.3/32 D/t
192.168.2.0/24 D/t
Tu0 172.16.10.4 50.1.1.1
172.16.10.4/32 D/t
192.168.3.0/24 D/t
Branch-A#

HQ#sh ip nhrp brief
****************************************************************************
NOTE: Link-Local, No-socket and Incomplete entries are not displayed
****************************************************************************
Legend: Type –> S – Static, D – Dynamic
Flags –> u – unique, r – registered, e – temporary, c – claimed
a – authoritative, t – route
============================================================================
Intf NextHop Address NBMA Address
Target Network T/Flag
——– ——————————————- —— —————-
Tu0 172.16.10.2 30.1.1.1
172.16.10.2/32 D/ur
Tu0 172.16.10.3 40.1.1.1
172.16.10.3/32 D/ur
Tu0 172.16.10.4 50.1.1.1
172.16.10.4/32 D/ur
HQ#

Verify Tunnel Interfaces on Branch A and HQ Routers
Branch-A#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.10.2/24
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 30.1.1.1 (GigabitEthernet0/1)
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface
Tunnel protocol/transport multi-GRE/IP
Key 0x7B, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile “JAN-2022”)
Last input 00:00:01, output never, output hang never
Last clearing of “show interface” counters 00:21:53
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 6
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
308 packets input, 27694 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
314 packets output, 29020 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Branch-A#

HQ#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.10.1/24
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 20.1.1.1 (GigabitEthernet0/0)
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface
Tunnel protocol/transport multi-GRE/IP
Key 0x7B, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile “JAN-2022”)
Last input 00:00:01, output never, output hang never
Last clearing of “show interface” counters 00:36:16
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1441 packets input, 127644 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1446 packets output, 129382 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

 Posted by at 5:17 pm  Tagged with:

IPSEC VTI Site-to-Site VPN

 Networking, Security  Comments Off on IPSEC VTI Site-to-Site VPN
Sep 192022
 

IPSEC Virtual Tunnel Interface Site to Site VPN

Let’s configure a VTI site-to-site Virtual Private Network in this lab.

In this VPN lab, we’re running IPSEC as the native protocol on the tunnel interface.

We’re not using Generic Routing Encapsulation (GRE) in this VPN lab.

The lab will also demonstrate use of a dynamic routing protocol (EIGRP) between routers R1 and R3 on the Tunnel interface and for the two LAN segments.

So obviously we’ll also be using Multicast over the tunnel interface.

After the IPSEC VPN is configured, we’ll run a bunch of show/verify commands.

Why VTI?

So why would we want to use static VTI/IPsec to create a site-to-site VPN instead of the GRE/IPsec option or the older cryptomap/ACL based VPN?

For one, the GRE header adds an extra 4-bytes. So avoiding GRE eliminates that bandwidth overhead.

Also, unlike with the cryptomap/ACL based VPN option in the static VPN model the IPsec tunnel is “on” all the time.

VTI’s support for QoS and multicast (just like with GRE/IPsec) means we can use dynamic routing protocols here.

Then there’s the issue of scalability. Some networking experts consider VTI more scalable than GRE/IPsec but if you ask me the scalability issue in larger networks is better addressed with Dynamic Multipoint Virtual Private Networks (DMVPN).

This lab is running on the GNS3 network simulation tool.

Configurations

IP addresses of the end-devices on the LAN segment and of the three routers have already been configured.

You can check them by viewing the topology diagram at the top of this post.

We’ll start with static routing to ensure end-end connectivity from R1 to R3.

Configure Static Routing on R1 & R2

R1
conf t
ip route 0.0.0.0 0.0.0.0 4.1.1.2
end

R3
conf t
ip route 0.0.0.0 0.0.0.0 4.1.2.1
end

VTI IPsec Configuration

Now it’s time for the meat of this lab, the VTI IPSec configuration to build the Virtual Private Network (VPN).

R1 VTI Configuration
IKE Phase 1
*********************
Set Global IKE policy
Configure Phase 1 Tunnel (ISAKMP Parameters)

conf t
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 16
lifetime 3600

crypto isakmp key Cisco123 address 4.1.2.2

Configure Phase 2 Tunnel on R1
crypto ipsec transform-set BTS esp-aes 256 esp-sha256-hmac
mode tunnel

crypto ipsec profile JULY-2022-PROFILE
set transform-set BTS
exit

! Configure Tunnel Interface
int tun 0
ip address 10.1.3.1 255.255.255.252
tunnel source g0/0
tunnel destination 4.1.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile JULY-2022-PROFILE
qos pre-classify
end

Note: The tunnel mode ipsec ipv4 command is not used in GRE/IPsec VPN.

Having completed the IPSec configuration for R1, we’re ready  to configure R3.

Except for the lifetime configuration, the other parameters in the Phase 1 Tunnel should match on R1 and R3 routers.

R3 VTI Configuration
*********************
Configure Phase 1 Tunnel
conf t
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 16
lifetime 3600

crypto isakmp key Cisco123 address 4.1.1.1

Configure Phase 2 Tunnel on R3
crypto ipsec transform-set BTS esp-aes 256 esp-sha256-hmac
mode tunnel

crypto ipsec profile JULY-2022-PROFILE
set transform-set BTS
exit
Configure Tunnel Interface
int tun 0
ip address 10.1.3.2 255.255.255.252
tunnel source g0/1
tunnel destination 4.1.1.1
tunnel mode ipsec ipv4

tunnel protection ipsec profile JULY-2022-PROFILE
qos pre-classify
end
===================================================================

EIGRP Protocol for Tunnel & LAN

Let’s set up a dynamic routing protocol for the LAN segments and for the tunnel.

We’ll use EIGRP this time.

R1
conf t
router eigrp 12
network 10.1.1.0 0.0.0.255
network 10.1.3.0 0.0.0.3
no auto-summary
end

R3
conf t
router eigrp 12
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.3
no auto-summary
end
===================================================================

Key IPSec Show Commands

There are a whole bunch of show or verify commands when it comes to a Site-to-Site VPN configuration.

sh run | s crypto
sh crypto isakmp policy
sh crypto isakmp key
sh crypto isakmp sa
sh int tun0
sh crypto ipsec profile
sh crypto ipsec transform-set

We’ll run them all below.

It’s always a good idea to check our IPSec configuration with show run | section crypto before we dive into other show commands.

This also gives us an opportunity to identify errors if any.

R1#sh run | section crypto
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 16
lifetime 3600
crypto isakmp key Cisco123 address 4.1.2.2
crypto ipsec transform-set BTS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile JULY-2022-PROFILE
set transform-set BTS
R1#

Before we launch into the other IPSec commands, let’s check the EIGRP routes.

Sure enough, the EIGRP routes are seen below.

Note that the LAN segment of R3 (10.1.2.0 network) is being accessed over the tunnel.

R1#sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override, p – overrides from PfR

Gateway of last resort is 4.1.1.2 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
D 10.1.2.0/24 [90/26880256] via 10.1.3.2, 00:10:28, Tunnel0

Several Show Options
To get a better idea of the IPSec show commands, we’ve shown below the various options available with show crypto isakmp.

R1#sh crypto isakmp ?
default Show ISAKMP default
key Show ISAKMP preshared keys
peers Show ISAKMP peer structures
policy Show ISAKMP protection suite policy
profile Show ISAKMP profiles
sa Show ISAKMP Security Associations

Let’s pick show crypto isakmp policy as our next IPSec show command.

R1#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm: AES – Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (256 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #16 (4096 bit)
lifetime: 3600 seconds, no volume limit

R1#sh crypto isakmp key
Keyring Hostname/Address Preshared Key

default 4.1.2.2 Cisco123
===============

Packet Encryption & Decryption

We can view details of encryption and decryption with sh crypto ipsec sa | in encap|decap.

R1#sh crypto ipsec sa | in encap|decap
#pkts encaps: 9017, #pkts encrypt: 9017, #pkts digest: 9017
#pkts decaps: 9020, #pkts decrypt: 9020, #pkts verify: 9020
R1#sh crypto ipsec sa | in encap|decap
#pkts encaps: 9597, #pkts encrypt: 9597, #pkts digest: 9597
#pkts decaps: 9601, #pkts decrypt: 9601, #pkts verify: 9601
R1#sh crypto ipsec sa | in encap|decap
#pkts encaps: 9837, #pkts encrypt: 9837, #pkts digest: 9837
#pkts decaps: 9841, #pkts decrypt: 9841, #pkts verify: 9841
R1#sh crypto ipsec sa | in encap|decap
#pkts encaps: 10039, #pkts encrypt: 10039, #pkts digest: 10039
#pkts decaps: 10043, #pkts decrypt: 10043, #pkts verify: 10043
R1#sh crypto ipsec sa | in encap|decap
#pkts encaps: 10041, #pkts encrypt: 10041, #pkts digest: 10041
#pkts decaps: 10045, #pkts decrypt: 10045, #pkts verify: 10045
R1#

Let’s check the details of our tunnel interface on router R1.

R1#sh run int tun0
Building configuration…

Current configuration : 217 bytes
!
interface Tunnel0
ip address 10.1.3.1 255.255.255.252
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 4.1.2.2
tunnel protection ipsec profile JULY-2022-PROFILE

R1#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.1/30
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 4.1.1.1 (GigabitEthernet0/0), destination 4.1.2.2
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile “JULY-2022-PROFILE”)
Last input never, output never, output hang never
Last clearing of “show interface” counters 00:01:33
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo (QOS pre-classification)
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
31 packets input, 2104 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
31 packets output, 2006 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
==================================================================
Verify IPsec Profile
R1#sh crypto ipsec profile
IPSEC profile JULY-2022-PROFILE

Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
BTS: { esp-256-aes esp-sha256-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
R1#

R1#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm               Encrypt Decrypt LastSeqN IP-Address
21 IPsec AES256+SHA256     0            548             548      4.1.1.1
22 IPsec AES256+SHA256    550           0                  0       4.1.1.1
R1#
==================================================================
Verify Transform-Set
R3#sh crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set BTS: { esp-256-aes esp-sha256-hmac }
will negotiate = { Tunnel, },

R3#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 4.1.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 4.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 206, #pkts encrypt: 206, #pkts digest: 206
#pkts decaps: 205, #pkts decrypt: 205, #pkts verify: 205
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 4.1.2.2, remote crypto endpt.: 4.1.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x3C8F2A78(1016015480)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE35B4447(3814409287)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2718)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x1D165E9F(488005279)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4162768/2718)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x9E3A7B85(2654632837)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2718)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x3C8F2A78(1016015480)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4162768/2718)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:
outbound pcp sas:
R3#

R3#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
21 IPsec AES256+SHA256 0 634 634 4.1.2.2
22 IPsec AES256+SHA256 632 0 0 4.1.2.2

R3#

R3#sh ip int tun0
Tunnel0 is up, line protocol is up
Internet address is 10.1.3.2/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1438 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: QoS Preclassification
Post encapsulation features: IPSEC Post-encap output classification
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
R3#

R3#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.2/30
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 4.1.2.2 (GigabitEthernet0/1), destination 4.1.1.1
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)show
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile “JULY-2022-PROFILE”)
Last input never, output never, output hang never
Last clearing of “show interface” counters 00:17:56
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo (QOS pre-classification)
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
243 packets input, 14702 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
245 packets output, 15496 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R3#

R3#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES – Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (256 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #16 (4096 bit)
lifetime: 3600 seconds, no volume limit
===================

Testing End-to-End Connectivity

Let’s check end-to-end connecity now.

Can PC1 ping PC2?

And the answer is yes.
PC1> ping 10.1.2.2

84 bytes from 10.1.2.2 icmp_seq=1 ttl=62 time=9.873 ms
84 bytes from 10.1.2.2 icmp_seq=2 ttl=62 time=10.177 ms
84 bytes from 10.1.2.2 icmp_seq=3 ttl=62 time=10.509 ms
84 bytes from 10.1.2.2 icmp_seq=4 ttl=62 time=6.715 ms
84 bytes from 10.1.2.2 icmp_seq=5 ttl=62 time=11.206 m

What about traceroute?

Just like the ping ICMP protocol on which it relies, traceroute goes via the tunnel interface too.

 Posted by at 6:13 pm  Tagged with:

Configure Site-to-Site IKEv2 VPN

 Networking, Security  Comments Off on Configure Site-to-Site IKEv2 VPN
Sep 182022
 

Not all Virtual Private Networks (VPNs) are created equal.

There are so many flavors of VPNs to boggle the imagination.

Purists insist that, strictly speaking, a VPN is not even required to have encryption. Of course, the same purists would concede that IPsec is a must have add-on for a VPN to truly fulfill its purpose of providing a secure tunnel.

In the corporate world, whether it’s a site-to-site VPN or a more complex DMVPN a secure VPN is a sine qua non.

In the VPN universe, IKEv1 is slowly making way to the more secure IKEv2.

How to Configure Site-to-Site IKEv2 VPN

In this post, we’ll configure a site-to-site IKEv2 VPN and run a bunch of show commands.

This post is not meant for someone completely new to networking. I’m assuming readers will have at least CCNA-level knowledge of IP addressing, subnets, routing, network security and VPNs.

IKEv2 Configuration

The IP addresses of the three routers and end-devices have already been configured.

I’ve highlighted the overlay and underlay interfaces, IP addresses and networks in the topology above.

IKEv2 VPN Configuration – 8 Steps

For convenience and easy understanding, I’ve divided the configuration of our Site-to-Site IKEv2 VPN into eight steps:

1. IKEv2 Proposal
2. IKEv2 Policy
3. IKEv2 Keyring
4. IKEv2 Profile
5. IPsec Transformset
6. IPsec Profile
7. Tunnel Interface
8. Routing
=========================
R1 Configuration

Step 1. IKEv2 Proposal

conf t
crypto ikev2 proposal December-Proposal
encryption aes-cbc-256
integrity sha512
group 21
exit

Step 2. IKEv2 Policy

crypto ikev2 policy November-Policy
match address local 40.1.1.1
proposal December-Proposal
exit

Step 3. IKEv2 Keyring

crypto ikev2 keyring October-KEYRING
peer R2
address 40.1.2.2
pre-shared-key local R1key
pre-shared-key remote R2key
exit
exit

Step 4. IKEv2 Profile

crypto ikev2 profile September-PROFILE
authentication local pre-share
authentication remote pre-share
keyring local October-KEYRING
match identity remote address 40.1.2.2
identity local address 40.1.1.1
exit

Step 5. IPsec Transformset

crypto ipsec transform-set BT-SET esp-aes 256 esp-sha256-hmac
exit

Step 6. IPsec Profile

crypto ipsec profile BOB-IPSEC-PROFILE
set transform-set BT-SET
set ikev2-profile September-PROFILE
exit

Step 7. Configure Tunnel Interface

int tunnel 0
ip address 10.1.1.1 255.255.255.0
tunnel source 40.1.1.1
tunnel destination 40.1.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile BOB-IPSEC-PROFILE
no shut
exit

Step 8. Configure Routing

router eigrp 20
no auto-summary
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
exit
================
R2 Configuration

Step 1. IKEv2 Proposal

conf t
crypto ikev2 proposal December-Proposal
encryption aes-cbc-256
integrity sha512
group 21
exit

Step 2. IKEv2 Policy

crypto ikev2 policy November-Policy
match address local 40.1.2.2
proposal December-Proposal
exit

Step 3. IKEv2 Keyring

crypto ikev2 keyring October-KEYRING
peer R1
address 40.1.1.1
pre-shared-key local R2key
pre-shared-key remote R1key
exit
exit

Step 4. IKEv2 Profile

crypto ikev2 profile September-PROFILE
authentication local pre-share
authentication remote pre-share
keyring local October-KEYRING
match identity remote address 40.1.1.1
identity local address 40.1.2.2
exit

Step 5. IPsec Transformset

crypto ipsec transform-set BT-SET esp-aes 256 esp-sha256-hmac
exit

Step 6. IPsec Profile

crypto ipsec profile BOB-IPSEC-PROFILE
set transform-set BT-SET
set ikev2-profile September-PROFILE
exit

Step 7. Configure Tunnel Interface

int tunnel 0
ip address 10.1.1.2 255.255.255.0
tunnel source 40.1.2.2
tunnel destination 40.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile BOB-IPSEC-PROFILE
no shut
exit

Step 8. Configure Routing

router eigrp 20
no auto-summary
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
exit
==================

Some Useful IKEv2 Verify Commands

show crypto ipsec sa
show crypto session
show run | section Crypto
show crypto engine accelerator statistic
show int tunnel 0
show crypto ikev2 proposal
show crypto ikev2 policy
debug crypto engine packet
debug crypto ikev2 packet

Verifing our Crypto Configuration on R1

R1#sh run | sec crypto
[output truncated]
crypto ikev2 proposal December-Proposal
encryption aes-cbc-256
integrity sha512
group 21
crypto ikev2 policy November-Policy
match address local 40.1.1.1
proposal December-Proposal
crypto ikev2 keyring October-KEYRING
peer R2
address 40.1.2.2
pre-shared-key local R1key
pre-shared-key remote R2key
!
crypto ikev2 profile September-PROFILE
match identity remote address 40.1.2.2 255.255.255.255
identity local address 40.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local October-KEYRING
crypto ipsec transform-set BT-SET esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile BOB-IPSEC-PROFILE
set transform-set BT-SET
set ikev2-profile September-PROFILE
R1#

Verifing our Crypto Configuration on R2

R2#sh run | sec crypto
[output truncated]
crypto pki certificate chain TP-self-signed-3202180324
crypto ikev2 proposal December-Proposal
encryption aes-cbc-256
integrity sha512
group 21
crypto ikev2 policy November-Policy
match address local 40.1.2.2
proposal December-Proposal
crypto ikev2 keyring October-KEYRING
peer R1
address 40.1.1.1
pre-shared-key local R2key
pre-shared-key remote R1key
!
crypto ikev2 profile September-PROFILE
match identity remote address 40.1.1.1 255.255.255.255
identity local address 40.1.2.2
authentication remote pre-share
authentication local pre-share
keyring local October-KEYRING
crypto ipsec transform-set BT-SET esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile BOB-IPSEC-PROFILE
set transform-set BT-SET
set ikev2-profile September-PROFILE
R2#

Checking Interfaces on R1

R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 40.1.1.1 YES manual up up
GigabitEthernet2 192.168.1.1 YES manual up up
GigabitEthernet3 unassigned YES unset administratively down down
GigabitEthernet4 unassigned YES unset administratively down down
Tunnel0 10.1.1.1 YES manual up up

Verifying PC1 to PC2 Connectivity

Successful pings and trace routes on the two end-devices confirm that our tunnel0 is working fine.

PC1 is able to ping PC2 and vice versa.

PC1> ping 192.168.2.2

192.168.2.2 icmp_seq=1 timeout
84 bytes from 192.168.2.2 icmp_seq=2 ttl=62 time=7.263 ms
84 bytes from 192.168.2.2 icmp_seq=3 ttl=62 time=6.157 ms
84 bytes from 192.168.2.2 icmp_seq=4 ttl=62 time=5.959 ms
84 bytes from 192.168.2.2 icmp_seq=5 ttl=62 time=8.569 ms

PC1> trace 192.168.2.2
trace to 192.168.2.2, 8 hops max, press Ctrl+C to stop
1 192.168.1.1 5.999 ms 2.019 ms 1.617 ms
2 10.1.1.2 12.953 ms 3.600 ms 4.169 ms
3 *192.168.2.2 9.599 ms (ICMP type:3, code:3, Destination port unreachable)
PC1>

PC2> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=254 time=13.269 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=254 time=4.614 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=254 time=5.469 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=254 time=5.382 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=254 time=4.964 ms

PC2> trace 192.168.1.1
trace to 192.168.1.1, 8 hops max, press Ctrl+C to stop
1 192.168.2.1 3.267 ms 7.103 ms 2.253 ms
2 *10.1.1.1 28.731 ms (ICMP type:3, code:3, Destination port unreachable) *
PC2>
===============================================

Verifying Routing on R1

The show ip route command shows that the 192.168.2.0 is being reached via the overlay network (see below).

R1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override, p – overrides from PfR

Gateway of last resort is 40.1.1.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 40.1.1.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Tunnel0
L 10.1.1.1/32 is directly connected, Tunnel0
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.1.1.0/24 is directly connected, GigabitEthernet1
L 40.1.1.1/32 is directly connected, GigabitEthernet1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet2
L 192.168.1.1/32 is directly connected, GigabitEthernet2
D 192.168.2.0/24 [90/26880256] via 10.1.1.2, 00:37:51, Tunnel0

R1#sh ip route 192.168.2.2
Routing entry for 192.168.2.0/24
Known via “eigrp 20”, distance 90, metric 26880256, type internal
Redistributing via eigrp 20
Last update from 10.1.1.2 on Tunnel0, 00:38:18 ago
Routing Descriptor Blocks:
* 10.1.1.2, from 10.1.1.2, 00:38:18 ago, via Tunnel0
Route metric is 26880256, traffic share count is 1
Total delay is 50010 microseconds, minimum bandwidth is 100 Kbit
Reliability 255/255, minimum MTU 1438 bytes
Loading 1/255, Hops 1
R1#
================================

Some Crypto Verify Commands on R1

Now it’s time to get going with a bunch of crypto commands and examine the output.

R1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 40.1.1.1/500 40.1.2.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3224 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 0F77C00D167A34BE Remote spi: F14374F7D1885E3D
Local id: 40.1.1.1
Remote id: 40.1.2.2
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA
R1#
================================
R1#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 40.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 40.1.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 740, #pkts encrypt: 740, #pkts digest: 740
#pkts decaps: 740, #pkts decrypt: 740, #pkts verify: 740
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 40.1.1.1, remote crypto endpt.: 40.1.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xA5DADA1A(2782583322)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xA7E95D48(2817088840)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3596)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA5DADA1A(2782583322)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3596)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
================================
R1#show crypto session
Crypto session current status

Interface: Tunnel0
Profile: September-PROFILE
Session status: UP-ACTIVE
Peer: 40.1.2.2 port 500
Session ID: 2
IKEv2 SA: local 40.1.1.1/500 remote 40.1.2.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
================================

Some Crypto Verify Commands on R2

R2#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 40.1.2.2/500 40.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/246 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: F14374F7D1885E3D Remote spi: 0F77C00D167A34BE
Local id: 40.1.2.2
Remote id: 40.1.1.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA
================================
R2#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 40.1.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 40.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 86, #pkts encrypt: 86, #pkts digest: 86
#pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 40.1.2.2, remote crypto endpt.: 40.1.1.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x533E0924(1396574500)
PFS (Y/N): N, DH group: noneDecember-Proposal

inbound esp sas:
spi: 0x30612CC1(811674817)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607990/3244)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x533E0924(1396574500)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607994/3244)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:
outbound pcp sas:
================================
R2#show crypto session
Crypto session current status

Interface: Tunnel0
Profile: September-PROFILE
Session status: UP-ACTIVE
Peer: 40.1.1.1 port 500
Session ID: 1
IKEv2 SA: local 40.1.2.2/500 remote 40.1.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Overall, it seems like our IKEv2 Site-to-Site VPN configuration is working fine.

List, Research and Install Only Security Updates on Red Hat 9

 Linux, Security  Comments Off on List, Research and Install Only Security Updates on Red Hat 9
Sep 042022
 

One of the nice features of Red Hat Enterprise Linux 9 (RHEL 9) OS is the ability to check, research and install only security updates from the command line.

As a systems administrator, there’s always a risk that installing an update might break something important in the enterprise and lead to undesirable consequences.

So tread carefully when it comes to change management of your enterprise servers.

At the same time, it’s good to know the security updates and get some details about them right from within the CLI.

RHEL 9 List & Install Security Updates in Red Hat 9

By the way, the ability to install only security updates in RHEL was available in some older versions of RHEL like RHEL 8 and 7 as well.

Four Security Tasks

In this post, we’ll consider four important security aspects in Red Hat 9:
1. How to List Only Security Updates in RHEL 9
2. How to List Already Installed Security Updates in RHEL 9
3. How to Install Only All Security Updates in RHEL 9
4. How to Research and Install Only a Single Security Update in RHEL 9

Task 1: List Only Security Updates

[jack@localhost ~]$ sudo dnf updateinfo list updates security
Updating Subscription Management repositories.
Red Hat Enterprise Linux 9 for x86_64 – BaseOS (RPMs) 16 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 – AppStream (RPMs) 21 kB/s | 4.1 kB 00:00
RHSA-2022:6157 Moderate/Sec. curl-7.76.1-14.el9_0.5.x86_64
RHSA-2022:6174 Important/Sec. firefox-91.13.0-1.el9_0.x86_64
RHSA-2022:6157 Moderate/Sec. libcurl-7.76.1-14.el9_0.5.x86_64
RHSA-2022:6181 Important/Sec. rsync-3.2.3-9.el9_0.2.x86_64

Task 2: List Security Updates already installed

You can also check for a list of security updates that you have already installed.

[jack@localhost ~]$ dnf updateinfo list security –installed
Not root, Subscription Management repositories not updated
Red Hat Enterprise Linux 9 for x86_64 – BaseOS (RPMs) 18 kB/s | 4.1 kB 00:00
Red Hat Enterprise Linux 9 for x86_64 – AppStream (RPMs) 21 kB/s | 4.1 kB 00:00
RHSA-2022:4990 Important/Sec. cups-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-client-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-filesystem-1:2.3.3op2-13.el9_0.1.noarch
RHSA-2022:4990 Important/Sec. cups-ipptool-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4990 Important/Sec. cups-libs-1:2.3.3op2-13.el9_0.1.x86_64
RHSA-2022:4873 Important/Sec. firefox-91.10.0-1.el9_0.x86_64
RHSA-2022:5481 Important/Sec. firefox-91.11.0-2.el9_0.x86_64
RHSA-2022:5767 Important/Sec. firefox-91.12.0-2.el9_0.x86_64
RHSA-2022:4590 Important/Sec. firefox-91.9.0-1.el9_0.x86_64
RHSA-2022:4765 Critical/Sec. firefox-91.9.1-1.el9_0.x86_64
RHSA-2022:5099 Important/Sec. grub2-common-1:2.06-27.el9_0.7.noarch
….[Output truncated]

Task 3. How to Install Only Security Updates

Now it’s time to consider the most important task of this post.

How do we install only ALL security updates on Red Hat Enterprise Linux 9?

[jack@localhost ~]$ sudo dnf update –security
……
[Output truncated]
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
kernel x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 595 k
Upgrading:
bpftool x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 1.3 M
curl x86_64 7.76.1-14.el9_0.4 rhel-9-for-x86_64-baseos-rpms 300 k
expat x86_64 2.2.10-12.el9_0.2 rhel-9-for-x86_64-baseos-rpms 109 k
grafana x86_64 7.5.11-5.el9_0 rhel-9-for-x86_64-appstream-rpms 39 M
kernel-headers x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-appstream-rpms 2.2 M
kernel-tools x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 824 k
kernel-tools-libs x86_64 5.14.0-70.22.1.el9_0 rhel-9-for-x86_64-baseos-rpms 605 k
libarchive x86_64 3.5.3-2.el9_0 rhel-9-for-x86_64-baseos-rpms 392 k
[Output truncated]

Task 4. How to Research & Install Only a Single Security Update

RHEL 9 also lets you research and install a single security update out of many possible security updates.

For instance, Red Hat classified Firefox as an important security update.

Since the Firefox browser was a crucial element of my organization’s security policy I went ahead and installed it without researching it further.

[jack@localhost ~]$ sudo dnf install firefox-91.13.0-1.el9_0.x86_64
……[output truncated]
Upgraded:
firefox-91.13.0-1.el9_0.x86_64

Dig Deeper

By the way, you can also dig deeper to research into a Red Hat security update recommendation from within the CLI itself.

When I found that Red Hat put up the rsync file copy and synchronize utility as an important security update I was curious to see what the issue was.

So I went back to Task 1 (see above) to get the Update ID for the rsync security update and then ran the below command.

[jack@localhost ~]$ sudo dnf updateinfo info RHSA-2022:6181
Update ID: RHSA-2022:6181
Type: security
Updated: 2022-08-24 13:06:01
Bugs: 2110928 – CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers
CVEs: CVE-2022-29154
Description: The rsync utility enables the users to copy and synchronize files locally or across a network.
…[Output truncated]

Now I know that the security hole in rsync relates to “remote arbitrary files write inside the directories of connecting peers.”

Depending on my organization’s security policy and requirements, I can then decide to either ignore or upgrade rsync.

Does Ubuntu offer the capability to list, research and install only security updates via the command line?

I doubt it.

But I have noticed that Linux Mint offers the ability to view and install only security updates via its GUI-based Update Manager.

Uncomplicated Firewall Stays True to its Name

 Command Line, Linux, Security  Comments Off on Uncomplicated Firewall Stays True to its Name
Sep 032022
 

Having a Ubuntu or Linux Mint desktop without the UFW (short for Uncomplicated Firewall) is like buying a nice home without a front door.

UFW, a host-based netfilter firewall, comes standard with Ubuntu and its derivatives like Linux Mint 21.

The program comes in both CLI and GUI versions.

True to its name, UFW is simple to use and supports both IPv4 and IPv6 addresses.

UFW – Inactive by Default

On a newly installed Linux Mint 21 desktop computer, UFW was bizarrely inactive by default (see below).

$ sudo ufw status
Status: inactive

I don’t understand the logic of Linux Mint developers in providing a firewall that comes disabled by default.

So I set to quickly enable the UFW firewall on Linux Mint 21 with the below command:

$ sudo ufw enable
Firewall is active and enabled on system startup

In contrast to Linux Mint, the firewall on Red Hat Enterprise Linux 9 is enabled by default. On the flip side, the firewall in RHEL 9 is anything but uncomplicated.

When you enable UFW, the program reloads the firewall and enables it on boot

Now when we re-run the status command after adding the verbose option we see that UFW is active and note its default configurations: deny (incoming), allow (outgoing), disabled (routed)

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

That is all nice and dandy but what if we want to do more than stick with the defaults.

Block Cat Videos on YouTube

UFW supports both inbound and outbound filtering.

Let’s say you want to block all outbound web traffic on your new employee’s PC (she doesn’t need the Internet for her work).

In that scenario, you’d add the following lines:

$ sudo ufw deny out https
$ sudo ufw deny out http

The above lines will prevent your employee from wasting time looking at cat videos on YouTube during work hours.

By the way, you’ll get the same results by using the Port Numbers 443 and 80 for https and https respectively:

$ sudo ufw deny out 443
$ sudo ufw deny out 80

Lots of Options

There’s plenty of other CLI options that you can tweak in UFW.

You can delete or prepend a rule by its number or by using the actual rule itself.

You can also adjust logging levels, rate-limit connections, do a dry-run feature without actually modiying the rules, reset to installation defaults) and more.

If for some reason, you want to get back to the default install, use the ufw reset command:

$ sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up ‘user.rules’ to ‘/etc/ufw/user.rules.20220902_154828’
Backing up ‘before.rules’ to ‘/etc/ufw/before.rules.20220902_154828’
Backing up ‘after.rules’ to ‘/etc/ufw/after.rules.20220902_154828’
Backing up ‘user6.rules’ to ‘/etc/ufw/user6.rules.20220902_154828’
Backing up ‘before6.rules’ to ‘/etc/ufw/before6.rules.20220902_154828’
Backing up ‘after6.rules’ to ‘/etc/ufw/after6.rules.20220902_154828’

For traffic not destined to the host itself but meant to be routed through the firewall, make sure you prepend route before the rule. So your syntax would lok like:

$ sudo ufw route [Rule}

According to UFW’s man pages, the rate-limit feature kicks in if an IP address tries to initiate 6 or more connections within 30 seconds.

For instance, if you want to rate-limit ssh connections, you’d use:

$ sudo ufw limit ssh/tcp

You can verify the ssh rate-limit you configured above by running:

$ sudo ufw status numbered
Status: active
To Action From
— —— —-
[ 1] 22/tcp LIMIT IN Anywhere
[ 2] 22/tcp (v6) LIMIT IN Anywhere (v6)

Clearly, UFW is a richly featured firewall with plenty of options.

We have barely scratched the surface of UFW’s capabilities in this post.

I’d encourage you to login to your Ubuntu 22.04 or Linux Mint 21 system and check out the man pages of UFW and play around with the various options.

GUI Version of UFW

If you think the CLI version of UFW is no biggie to configure, wait till you see the GUI version, which is appropriately named Gufw Firewall.

It takes just a few seconds to set up. If you’re using Linux Mint 21, go to Menu (bottom-left usually) and search for gufw or firewall.

UFW Uncomplicated Firewall
The GUI version has three profiles: Home, Office and Public.

By default, Outgoing traffic is allowed for all three profiles while Incoming traffic is denied for Public and Office.

Home profile is turned off by default but you can turn it on and pick deny for Incoming traffic IF that is your preference.

UFW Verdict

All in all, UFW is one of the security utilities that make Ubuntu or Linux Mint 21 a worthy desktop Linux distribution.

Unlike the default firewall in RHEL 9 (which uses the concept of zones and a difficult syntax), UFW is easy to use whether in GUI or CLI mode.

I only wish UFW came enabled by default.

Before concluding, I’d like to share a bunch of key UFW commands I found on the firewall’s man pages:

$ sudo ufw –help
Usage: ufw COMMAND

Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
prepend RULE prepend RULE
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information