Thursday, August 15, 2019

VPN with a Cisco Router


Configuring a VPN is often quite simple, specially if we understand what's going on and what's supposed to happen. But somewhat, Cisco decided it would be awfully complicated to configure a VPN on their router... Let's dig into that.

First I'd like to point to a very well done blog post explaining how VPN works and what they are made of : https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview

2 main difficulties to handle in the configuration : VRF context and IKE v1 vs v2

Also, the local and remote proxy (subnets) are defined via access-list.

To configure IPSEC on a Cisco router, you need a non NPE firmware, and a securityK9 license active.

Configuration example for IKEv1 (Not recommended):


crypto keyring keyring1 vrf VRF1
  pre-shared-key address <remote IP> key <pre shared key>
!
crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 20
 lifetime 3600
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile isaprofile1
   vrf VRF1
   keyring keyring1
   match identity address <remote IP> <remote mask> VRF1
!
!
crypto ipsec transform-set FCDQSET esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto map FCDQMAP 10 ipsec-isakmp
 set peer <remote IP>
 set transform-set FCDQSET
 set isakmp-profile isaprofile1
 match address 102
 end
!
access-list 102 permit ip <local proxy> <remote proxy>
!
!
interface GigabitEthernet0/0/0
 ip vrf forwarding VRF1
 ip address <remote IP> <remote mask>
 negotiation auto
 crypto map FCDQMAP
!


Configuration example for IKEv2 (Recommended):


crypto ikev2 proposal proposl1
 encryption aes-cbc-256 aes-cbc-192
 integrity sha512
 group 20 24
!
crypto ikev2 policy POLIKE1
 match fvrf VRF1
 proposal proposl1
!
crypto ikev2 keyring keyring2
 peer peer_hostname
  description link to peer
  address <remote IP>
  pre-shared-key local a$j4V!X7m*r)3333
  pre-shared-key remote a$j4V!X7m*r)2222
 !
!
!
crypto ikev2 profile PROFIKE1
 match fvrf VRF1
 match address local interface GigabitEthernet0/0/0
 match identity remote address <remote IP> <remote mask>
 authentication remote pre-share
 authentication local pre-share
 keyring local keyring2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set FCDQSET esp-aes 256 esp-sha512-hmac
 mode tunnel
!
!
!
crypto map FCDQMAP 10 ipsec-isakmp
 set peer <remote IP>
 set transform-set FCDQSET
 set ikev2-profile PROFIKE1
 match address 102
 reverse-route
!
access-list 102 permit ip host <local proxy> <remote proxy>
!
!
interface GigabitEthernet0/0/0
 ip vrf forwarding VRF1
 ip address <remote IP> <remote mask>
 negotiation auto
 crypto map FCDQMAP
!


Assuming Gi0/0/0 is the interface you'd like to mount your VPN on. It is also possible to declare a virtual interface Tunnel1 and match it to the physical interface if your prefer, or is the setup is easier.

Important note: it seems you CANNOT configure IPSEC VPN on a Management Interface. Use a normal interface for it.

Make sure you can ping the remote IP (inside the VRF1 if applicable) and it should be all good !

Of course if it doesn't come up, make sure that the ciphers and the subnets/proxy match. You may know more by issuing the following commands :

IKEv1:

Router#show crypto session 
...
Router#show crypto isakmp sa [vrf VRF1]
...
Router#show crypto ipsec sa [vrf VRF1]
!

IKEv2:

Router#show crypto session 
...
Router#show crypto ikev2 sa [fvrf VRF1]
...
Router#show crypto ipsec sa [vrf VRF1]
!

and the useful debug functions to see where it could block.

Router#debug crypto isakmp
Router#debug crypto ikev2
Router#debug crypto ipsec

You should be good to go !

Good luck on your cisco vpn configuration journey.
Posted by at No comments:

Friday, March 8, 2019

[Cisco] Access to Cisco API


Hello,

Today we will review how to access to Cisco API.

You would like to create a script that will check coverage, warranty for all your Cisco equipments in your infrastructure, but you don't know where to begin ? Follow these simple steps :

1 - Get access to Cisco Services Access Management

You have to be an administrator and get access to https://cdceb.cloudapps.cisco.com/csam/login.do?action=home. The user that will be used for the script/application must be configured to be an "API Developper" and "SNTC Administrator". If you don't have access to this part, contact cisco support.

2 - Declare your application on Cisco

Connect to https://apiconsole.cisco.com/, you can browse the site as you wish, but the interesting part is "Registering New Application".

Put the information linked to your application, and then select the Cisco API(s) you will be requesting. In our coverage check example, we select Serial Number to Information API Version 2.

3 - Retrieve your ID

In order to make API requests to cisco you will have to use the newly created application parameters : Client ID and Client secret. They will correspond to the account the application is registered under, so it will have exactly the same rights, contracts attached, visibility...





Posted by at No comments:

Tuesday, January 15, 2019

[Python] TextFSM : how to format your network equipment output


TextFSM is a very useful module that format automatically your equipment raw output and transform it into formatted data. It comes with predefined format from "most popular" commands, on Cisco, Juniper, Arista... ("show ip arp", "show interfaces", "show cdp neighbors"...) but you can also get into the config and build your own !

It is a little long to install, but it is worth it : you need to install ntc-templates using a 'git clone' action. The easiest way is to just install this into your home directory.

git clone https://github.com/networktocode/ntc-templates?__s=XXXXXXXX

The index file is just a mapping between platform, command, and the corresponding TextFSM template to use. This includes possible abbreviated versions of the command (for example, 'sh ip int br' and 'show ip interface brief').

Netmiko is configured to work with ~/ntc-template/templates/index for the ntc-templates index file. I had to alter the global PATH to tell Netmiko where to look for the TextFSM template directory:

NET_TEXTFSM="/root/python/ntc-templates/templates/" >> /etc/environment

All the templates already available for parsing are located in this path. If you need to define your own, that is where you will find examples and place to begin.

Now, let's see the difference.

You might know it by know, it is pretty simple to connect to a network equipment with the Netmiko library :

 #!/usr/bin/python  
 #from netmiko import Netmiko

core_src_switch = {
                   'host': 'yourswitch.domain',
                   'username': 'read_only_user',
                   'password': 'read_only_user_password',
                   'device_type': 'cisco_ios',
                  }

target_ip = 'your ip'
#opening SSH connection to device
net_conn_tr = Netmiko(**core_src_switch)
#sending show ip ARP to device
output_shiparp = net_conn.send_command("show ip arp " + target_ip)
#close SSH connection
net_conn_tr.disconnect()
print(output_shiparp)

This will have approximatively this output with a valid IP : 

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  your ip                  5   cc52.aaaa.aaaa  ARPA   Vlan4200

And now, let's modify the command so we use TextFSM : 

output_shiparp = net_conn.send_command("show ip arp " + target_ip, expect_string=r'#', use_textfsm=True)

New output : 

[{'interface': 'Vlan4200', 'age': '5', 'type': 'ARPA', 'mac': 'cc52.aaaa.aaaa', 'address': 'your ip'}]

Immediately usable via code : 

In [3]: output_shiparp[0]['address']
Out[3]: 'your ip'

This conclude this small presentation of textFSM. I strongly advise on using it when building code that will browse switches and routers.
Posted by at No comments:

Friday, January 11, 2019

[Python] SSH to a server through a jump server, with PKI


Hello,

Today's tip is regarding a topic that made me stuck for a while : how to connect to a server through another server, and all infrastructure uses public key to authenticate ?

I tried playing with ssh_agent and key forwarding, but I couldn't make it work. Then a suggestion was made to use port forwarding, which is much more straitforward and simple to handle/understand.

Here is a piece of code that should work for you :

 #!/usr/bin/python  
 #  
 # Paramiko  
 #  
 import paramiko  
 import sys  
 import subprocess  
 #  
 # we instantiate a new object referencing paramiko's SSHClient class  
 #  
 vm = paramiko.SSHClient()  
 vm.set_missing_host_key_policy(paramiko.AutoAddPolicy())  
 k = paramiko.RSAKey.from_private_key_file("/path/to/the/key",password='private_key_password')  
 vm.connect('jump_server', username='login', pkey = k)  
 #  
 vmtransport = vm.get_transport()  
 dest_addr = ('dst_server', 22)  
 local_addr = ('jump_server', 22)  
 vmchannel = vmtransport.open_channel("direct-tcpip", dest_addr, local_addr)  
 #  
 jhost = paramiko.SSHClient()  
 jhost.set_missing_host_key_policy(paramiko.AutoAddPolicy())  
 jhost.connect('dst_server', username='login', password='xxxx', sock=vmchannel)  
 #we send a simple command  
 stdin, stdout, stderr = jhost.exec_command("hostname")  
 #we read the return from the dst_server  
 print stdout.read()  
 #we don't forget to close the SSH session  
 jhost.close()  
 vm.close()  
 # End
If you are using simple password, replace pkey by password. Enjoy !
Posted by at No comments:

Learn python !

Hello,

I recently took the decision to learn Python all by myself since my company don't see any added value to do that...

I can only recommend Kirk Byers free online introduction course :

https://pynet.twb-tech.com/

The courses are started various times of the year, and you can register at that moment. once you finish the online classes you have access to the full course anyway, even if you missed some lessons.

It is very informative, it necessitates that you have a minimum programming background but I really recommend it.

M. Byers is the creator of the "Netmiko" library, which is great to connect to any kind of switch/router.





Posted by at No comments:

Thursday, January 10, 2019

Welcome to my blog

2019 is here ! New year, new resolutions. I open my blog and share some VERY useful tips that came across my career. Hope it will be helpful for some others !

I will be blogging about any technology, no preference, in the fields of Network & Security.

Some words about me, I graduated a long time ago as a "Network & Telecommunication engineer" in a school in France. I came to Canada for various reasons and I stayed there because I find it awesome !

Don't hesitate to ask questions, I fully expect this blog to be largely ignored, so I can answer any question that may pop !

You may expect funny pictures to come with serious articles.

I wish you all a happy new year 2019 ! Let's get started !



Posted by at No comments:
Subscribe to: Comments (Atom)