Posts

macosx install openconnect with libstoken support

Install openconnect with libstoken support

Prerequisites

Configure, Make, Install Openconnect with libstoken support

The below will install openconnect with libstoken support:
you can download the latest package for openconnect here: http://www.infradead.org/openconnect/download.html

Using OpenConnect with stoken support

Import your token

  1. Import your RSA token provisioning string, URL, or file with one of:

  2. Enter the token’s password if prompted; you may choose a new one or leave it blank.
  3. If prompted for a PIN, use the provisioning PIN; if you don’t have one, it’s probably 0000
  4. Check to see that ~/.stokenrc was created

vpnc-script returned error 1 resolv.conf mac osx

Recently on my MAC OSX i rebooted and when I tried to start my vpn using vpnc i got the following error:

Which basically rendered the vpnc-script useless in order to resolve this you need to do the below:

then try starting the VPN again, hopefully should fix this, any issues please comment.

How to use a question mark on preshared-key

How to escape question mark (?) on a cisco asa

How to insert question mark in regex or How to use a question mark on preshared-key

How to insert question mark in regex or pre-sharedkeys

How to insert question mark in regex or When I was working on setting up a vpn for a customer they presented us with a PSK that had a question (?) in the pre-shared-key this proved a challenge on the cisco asa and I found the below solution to escape question mark, this can be done on any cisco ios device

1. just before you want to add the character ? hit ctrl-v,
2. then enter the ? character, finally ctrl-l

Firewall VPN ISAKMP (IKE Phase 1) status messages

These are the possible ISAKMP negotiation states on an ASA firewall. ISAKMP stands for: The Internet Security Association and Key Management Protocol.

ASA ISAKMP STATES

  • MM_WAIT_MSG2 – Initial DH public key sent to responder. Awaiting initial contact reply from other side. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.
  • MM_WAIT_MSG3 – Both peers have agreed on the ISAKMP policies. Awaiting exchange of keyring information. Hang up’s here may be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.
  • MM_WAIT_MSG4 – In this step the pre-share key hashes are exchanged. They are not compared or checked, only sent. If one side sends a key and does not receive a key back, this is where the tunnel will fail. I have seen the tunnel fail at this step due to the remote side having the wrong Peer IP address. Hang up’s here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.
  • MM_WAIT_MSG5 – This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off.
  • MM_WAIT_MSG6 – This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE.
  • AM_ACTIVE / MM_ACTIVE – The ISAKMP negotiations are complete. Phase 1 has successfully completed.

PIX ISAKMP STATES

  • MM_NO_STATE – ISAKMP SA has been created but nothing else has happened yet.
  • MM_SA_SETUP – The peers have agreed on parameters for the ISAKMP SA.
  • MM_KEY_EXCH – The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The I SAKMP SA remains unauthenticated.
  • MM_KEY_AUTH – The ISAKMP SA has been authenticated. If the router initiated this exchange, this state trans itions immediately to QM_IDLE and a Quick mode exchange begins.
  • AG_NO_STATE – The ISAKMP SA has been created but nothing else has happened yet.
  • AG_INIT_EXCH – The peers have done the first exchange in Aggressive mode but the SA is not authenticated.
  • AG_AUTH – The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode exchange begins.
  • QM_IDLE – The ISAKMP negotiations are complete. Phase 1 successfully completed. It remains authenticated with its peer and may be used for subsequent Quick mode exchanges.

VPN tunnel initiation only from one end

To have the VPN tunnel initiation only from one end, configure the head end of the connection as originate-only with the originate-only keyword in the crypto map entry, and the remote end with answer-only keyword.

Refer to this crypto map configuration example on main site:
local site:

For the remote site:

VPN using LDAP Authentication

below is an example configuration of a VPN using LDAP Authentication, in this example a redhat ldap server was used to authenticate against using cisco vpn’s, the configuration below checks to see if the user is part of the vpn_access group and only then allows access, if the auth fails the users gets bound to the noaccess policy.

Cisco ASA Rate Limit a VPN Tunnel

This post is in relation to rate limiting traffic which traverses the VPN as we do not want to max the external interface.

The tunnel group should already be in place as per the usual config:

1) Create a class map to define the traffic which should be matched, in our case we will be matching any traffic which pass the tunnel-group:

2) Create a policy map, associate the class map against it, and define an action for matched traffic, below the data is in bps:

3) Activate the policy map by assigning it to the external interface:

4) Verify that the policy has taken effect by pinging across the tunnel from a server behind the firewall:

Cisco ASA Disable Extended Authentication

Once you disable extended authentication, the VPN Clients do not pop-up a username/password for an authentication (Xauth) it will only use the pre-shared-key and tunnel-group name for auth, this is not advised and best to keep user authentication on.

In tunnel group mode, enter this command in order to disable the extended authentication, which is enabled by default, on the PIX/ASA 7.x:

Client VPN tunnel all traffic

Cisco ASA Client VPN tunnel all the user traffic through the VPN.