GRE VPN Tunnel Configuration

 Networking, Security  Comments Off on GRE VPN Tunnel Configuration
May 172022
 

Since Generic Routing Encapsulation (GRE) VPN tunnels continue to remain on Cisco exams like CCNA and CCNP ENCOR, let’s demonstrate a quick configuration of a GRE tunnel.

Why do we care about GRE?

We care about GRE because it can encapsulate diverse network layer protocols that can be transported over an IP network between two locations over a public network like the Internet.

GRE can be used with or for:
* Multicast packets, such as OSPF, EIGRP, and streaming applications
* Connecting IPv6 networks over IPv4 networks

For purposes of this demonstration, we used the GNS3 emulation software running on a Linux VM.

The biggest problem with default GRE configuration (like the one below) is that it does not include security.

GRE Tunnel Configuration

! Configure PC1
ip 10.1.1.2/24 10.1.1.1
save
! Configure PC2
ip 10.1.2.2/24 10.1.2.1
save

! Configure Router R1
conf t
hostname R1
interface f0/0
ip address 10.1.1.1 255.255.255.0
no shut
interface s0/0
ip address 4.1.1.1 255.255.255.252
no shut
! Configure Router R2
conf t
hostname R2
interface s0/1
ip address 4.1.1.2 255.255.255.252
no shut
int s0/0
ip address 4.1.2.1 255.255.255.252
no shut
! Configure Router R3
conf t
hostname R3
interface s0/1
ip address 4.1.2.2 255.255.255.252
no shut
interface f0/0
ip address 10.1.2.1 255.255.255.0
no shut

Static Routing
We’ll use static routing for end-to-end connectivity.

! Configure Static Routing on R1 & R3
!R1
conf t
ip route 0.0.0.0 0.0.0.0 4.1.1.2
!R3
conf t
ip route 0.0.0.0 0.0.0.0 4.1.2.1

GRE Tunnel Interfaces
Now it’s time to configure the GRE tunnel.

! Configure GRE Tunnel on R1
conf t
int tun 0
ip address 10.1.3.1 255.255.255.252
tunnel mode gre ip
tunnel source s0/0
tunnel destination 4.1.2.2

! Configure GRE Tunnel on R3
conf t
int tun 0
ip address 10.1.3.2 255.255.255.252
tunnel mode gre ip
tunnel source s0/1
tunnel destination 4.1.1.1

Let’s check the Tunnel Interfaces on R1 and R3 to make sure they’re up.

Verify Tunnel Interfaces
R1#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES NVRAM up up
Serial0/0 4.1.1.1 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.1 YES NVRAM up up

R3#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.2.1 YES NVRAM up up
Serial0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 4.1.2.2 YES NVRAM up up
Serial0/2 unassigned YES NVRAM administratively down down
Serial0/3 unassigned YES NVRAM administratively down down
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
Tunnel0 10.1.3.2 YES NVRAM up up
R3#

Configure EIGRP Routing on Tunnel Interfaces R1 and R3
! R1
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

! R3
conf t
router eigrp 100
network 10.0.0.0
no auto-summary

Verify Routing on R1 and R3
R1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.1.2 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.1.0 is directly connected, Serial0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
D 10.1.2.0/24 [90/297270016] via 10.1.3.2, 00:21:00, Tunnel0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 4.1.1.2
R1#

R3#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 4.1.2.1 to network 0.0.0.0

4.0.0.0/30 is subnetted, 1 subnets
C 4.1.2.0 is directly connected, Serial0/1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.3.0/30 is directly connected, Tunnel0
C 10.1.2.0/24 is directly connected, FastEthernet0/0
D 10.1.1.0/24 [90/297270016] via 10.1.3.1, 00:21:28, Tunnel0
S* 0.0.0.0/0 [1/0] via 4.1.2.1
R3#

Verify GRE
Now that we have configured the GRE VPN tunnel, let’s run some Verify commands on Routers R1 and R3.

We’ll start by verifying the tunnel0 interface on R1.

R1#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.1.1 (Serial0/0), destination 4.1.2.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:01, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
302 packets input, 25344 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
302 packets output, 25364 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1#

Let’s check the tunnel interface on router R3 now.

R3#show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.3.2/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 4.1.2.2 (Serial0/1), destination 4.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:04, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
316 packets input, 26540 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
318 packets output, 26688 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

We can verify that the GRE tunnel is working fine by running traceroute on R1 and R3.

R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
1 10.1.3.2 8 msec 0 msec 0 msec

We can see that the packet is moving through the tunnel interface.

R3#traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 10.1.3.1 4 msec 4 msec 0 msec

Troubleshooting GRE
* Tunnel Interface IP addresses on either side must be in same subnet
* Subnet masks on both sides of the tunnel must match
* Check if interfaces for tunnel source/destination are configured with correct IP address
* Check if Tunnel interfaces are up
* Verify if static or dynamic routing is configured properly

Adding Security to GRE via IPSec
The biggest drawback of GRE is that GRE by itself does not provide security.

So we leverage IPSec to strengthen GRE.

In a following blog post, we’ll demonstrate GRE with IPSec.

 Posted by at 9:34 pm

How to Install KeePassX on CentOS 7

 Linux, Security  Comments Off on How to Install KeePassX on CentOS 7
Sep 232018
 

KeepassxEven if you’re an Einstein, there’s no way you can remember all the user names and passwords for your Hotmail, Netflix, Gmail, multiple Bank accounts, Credit Card accounts, Dropbox and other sundry login details.

People without a password manager tend to write the user names and passwords on a piece of paper (not good because you can easily lose it) or, worse, use the same set of user names and passwords for multiple accounts (more dangerous because if one of your accounts is compromised the others will soon be too).

The biggest plus of a password manager is that you no longer have to remember multiple user names and passwords but just one master password that provides you with access to all the other user names and passwords.

If you’re not using a password manager, get one immediately. There are several password managers but a lot of them charge a monthly fee.

Since there are open source password managers of high quality, there’s no need to sign up for a fee-based service.

My personal favorite is KeePassX.

KeePassX Password Manager

KeePassX is a decent password manager for Linux and has been around for more than a decade.

I’ve used KeePassX on various flavors of Linux for a few years now and like that it’s free, local (i.e., not cloud-based), and comes with a secure password generator.

The latest version is KeePassX 2.0.2-1 on Ubuntu/Linux Mint repositories but the version for CentOS 7 or CentOS 6 is 0.4.4. The official KeePassX version is newer, 2.0.3.

Default security setting for the KeePassX database on version 0.4.4 of my CentOS 7 machine is AES (Rijndael) 256-bit encryption.

KeePassX has URL open (ctrl u) and auto-fill (ctrl v) capabilities but I must caution that once in a while the auto-fill does not work.

KeePassX also features Groups to let you keep all your user names and passwords for a certain category (say different e-mail accounts) into Groups. So you can have one group for E-mail, another for Entertainment (Netflix, Amazon Videos, etc.), a third for your bank and credit card accounts and so on.

Installing KeePassX

Installing KeePassX on CentOS 7 or CentOS 6 is a no-brainer.

[thomaspc@localhost ~]$ sudo yum install keepassx
[sudo] password for thomaspc: 
Loaded plugins: fastestmirror, langpacks, product-id, search-disabled-repos, subscription-manager
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                     |  14 kB  00:00:00     
 * base: mirror.datto.com
 * epel: mirror.umd.edu
 * extras: centos2.zswap.net
 * updates: mirror.atlanticmetro.net
base                                                                                                                                                     | 3.6 kB  00:00:00     
epel                                                                                                                                                     | 3.2 kB  00:00:00     
extras                                                                                                                                                   | 3.4 kB  00:00:00     
updates                                                                                                                                                  | 3.4 kB  00:00:00     
(1/2): epel/x86_64/updateinfo                                                                                                                            | 944 kB  00:00:00     
(2/2): epel/x86_64/primary                                                                                                                               | 3.6 MB  00:00:00     
epel                                                                                                                                                                12686/12686
Resolving Dependencies
--> Running transaction check
---> Package keepassx.x86_64 0:0.4.4-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================
 Package                                    Arch                                     Version                                       Repository                              Size
================================================================================================================================================================================
Installing:
 keepassx                                   x86_64                                   0.4.4-1.el7                                   epel                                   807 k

Transaction Summary
================================================================================================================================================================================
Install  1 Package

Total download size: 807 k
Installed size: 2.8 M
Is this ok [y/d/N]: y
Downloading packages:
keepassx-0.4.4-1.el7.x86_64.rpm                                                                                                                          | 807 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : keepassx-0.4.4-1.el7.x86_64                                                                                                                                  1/1 
  Verifying  : keepassx-0.4.4-1.el7.x86_64                                                                                                                                  1/1 

Installed:
  keepassx.x86_64 0:0.4.4-1.el7                                                                                                                                                 

Complete!
Advantages & Disadvantages

Since every individual has unique needs, it’s hard to speak for everyone.

In my case, I prefer a password manager that’s local. So KeePassX is a plus for me.

But others may want a cloud-based password manager that they can access from any device anywhere.

KeePassX will not please such people because it lacks a cloud version. But you can keep a copy of the encrypted KeePassX database on Dropbox or similar online storage service and access the KeePassX database that way.

Overall, I’ve found KeePassX to be a reliable Password Manager on my CentOS 7 and Linux Mint 18 systems.

You can read more about KeePassX on the password manager’s web site KeePassX.org.

 Posted by at 2:17 pm

Early Christmas for KeePassX Users – KeePassX 2.0 Out

 Products, Security  Comments Off on Early Christmas for KeePassX Users – KeePassX 2.0 Out
Dec 072015
 

KeepassxFolks, Christmas has arrived 18 days early for password manager KeePassX users.

After five years of development, version 2.0 of KeePassX has been released.

The previous stable version of KeePassX was 0.4.3, which was released way back in March 2010.

Clearing Confusion

Let’s first clear up lingering confusion.

In the minds of end users, there’s considerable confusion between the two major password management utilities. KeePassX and KeePass.

Here’s the key difference between the two utilities.

KeePass is primarily a password management utility developed for various versions of Windows although it can run on other platforms like Mac OS X and Linux via Mono.

Unofficial ports of KeePass for different platforms are also available.

KeePassX, on the other hand, was developed from the get-go as a cross-platform password management utility.

KeePassX (written in QT) was originally known as KeePass/L since it was a Linux port of Keepass Password Safe.

After the utility became cross-platform in 2006, the L was dropped and the name was changed to KeePassX.

New Features in KeePassX 2.0

KeePassX developers have highlighted various new features in version 2.0: Continue reading »

 Posted by at 9:59 am

Free Anti-Virus Software for Linux Systems

 Linux, Security  Comments Off on Free Anti-Virus Software for Linux Systems
Nov 272015
 

If you’re a Linux aficionado, bravo.

You’re obviously more knowledgeable about computers than the average user.

Linux – Risks Lurk

The good thing about Linux systems is that they’re less vulnerable compared to, say, Windows or any other operating system.

But don’t be fooled by all those fanboys who claim Linux is like Fort Knox, virtually impenetrable to the hackers.

Linux, like every other operating system, is prone to malware, viruses and all the other bad stuff.

Further, even if malware does not attack a Linux system directly they can still cause widespread harm if you run a Linux web server to which Windows, Mac, Android and other systems connect to.

So Linux server and desktop users would be well advised to be on the alert for malware.

Although Linux still has a small installed base at the consumer level, its growing usage is also prompting hackers to target this operating system.

Thankfully, for all ye scrooges there are a few free anti-virus Linux software.

Here are a couple of them.

1. Sophos offers anti-virus protection for Linux providing on-access and on-demand scanning.

Sophos supports popular Linux distributions including Red Hat Enterprise Linux (versions 4, 5, 6 and 7), CentOS (5.8+, 6.2+ and 7) and Ubuntu LTS Server Edition 12.04 / 14.04 (version 9.6.1+).

You can download the free Sophos anti-virus software for Linux from the company’s web site.

2. Clamav is another free anti-virus software for popular Linux distros like Red Hat, CentOS and Ubuntu.

Red Hat & CentOS

For Red Hat and CentOS distributions, make sure you have the EPEL repository enabled before trying to install Clamav.

$ sudo yum install clamav clamd

Continue reading »

 Posted by at 2:35 pm

Nmap Security Scanner gets Major Upgrade in Version 7

 Security  Comments Off on Nmap Security Scanner gets Major Upgrade in Version 7
Nov 192015
 

If you’re still running nmap 6.0, now’s the time to upgrade!

Open source security scanner nmap has received a big upgrade in version 7, which debuted November 19, 2015.

Touted as the product of three and a half years of work, nmap 7 includes nearly 3,200 code commits and enhancements that are part of over a dozen point releases since the big nmap 6 release in May 2012.

Nmap 7 – Highlights

Since nmap 6, developers of the free security scanner have added 171 new scripts and 20 libraries including firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed.

The Nmap Scripting Engine (NSE) is now reportedly powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.) and RPC grinding (rpc-grind).

There’s even a proposal to implement port scanning in NSE.

Nmap 7 provides full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage.

Faster scans is another highlight of nmap 7.

Version scan is supposedly quicker in nmap 7 because of 56 more softmatch lines that prevent nmap from sending irrelevant probes to certain services.

The ssl-enum-ciphers script has been entirely revamped in release 7 to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions.

A favorite of systems and network administrators, nmap is used for network inventory, managing service upgrade schedules, monitoring host or service uptime and other tasks.

The cross-platform nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Designed for rapid scan of large networks, nmap works well for single hosts too.

 Posted by at 11:03 pm

Tails 1.6 Out

 Linux, Security  Comments Off on Tails 1.6 Out
Sep 282015
 

The developers of Tails have put out version 1.6 of the privacy oriented Linux distribution.

Tails 1.6 is primarily a security fix for the several vulnerabilities found in the previous version (1.5.1).

The Tails’ team is asking users to immediately upgrade to version 1.6.

Tails 1.6 – Changes

The Tor Browser has been upgraded to version 5.0.3 (based on Firefox 38.3.0 ESR) in Tails 1.6. Continue reading »

 Posted by at 8:35 pm