IPsec Troubleshooting. Dr. Tina Bird Last modified: 20 minutes ago

Similar documents
APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Lab Configure a PIX Firewall VPN

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

Protocol Security Where?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Introduction to Security and PIX Firewall

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Lecture 17 - Network Security

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Packet Tracer Configuring VPNs (Optional)

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Case Study for Layer 3 Authentication and Encryption

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Understanding the Cisco VPN Client

Cisco 1841 MyDigitalShield BYOG Integration Guide

IPsec VPN Application Guide REV:

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Firewall Troubleshooting

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Chapter 4 Virtual Private Networking

Network Security. Lecture 3

GregSowell.com. Mikrotik VPN

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Virtual Private Network (VPN)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 8 Virtual Private Networking

Triple DES Encryption for IPSec

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

LAN-Cell to Cisco Tunneling

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

21.4 Network Address Translation (NAT) NAT concept

Amazon Virtual Private Cloud. Network Administrator Guide API Version

VPN. VPN For BIPAC 741/743GE

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Module 6 Configure Remote Access VPN

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Laboratory Exercises V: IP Security Protocol (IPSec)

IP Security. Ola Flygt Växjö University, Sweden

The BANDIT Products in Virtual Private Networks

Deploying IPSec VPN in the Enterprise

IPsec Details 1 / 43. IPsec Details

Table of Contents. Cisco Cisco VPN Client FAQ

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

VPN SECURITY POLICIES

IPSec and SSL Virtual Private Networks

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Using IPsec VPN to provide communication between offices

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

REMOTE ACCESS VPN NETWORK DIAGRAM

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

Configuring L2TP over IPsec

Lecture 10: Communications Security

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Branch Office VPN Tunnels and Mobile VPN

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

z/os Firewall Technology Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Linux Network Security

Cisco RV 120W Wireless-N VPN Firewall

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Amazon Virtual Private Cloud. Network Administrator Guide API Version

ZyXEL ZyWALL P1 firmware V3.64

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Application Note. Onsight TeamLink And Firewall Detect v6.3

Configure ISDN Backup and VPN Connection

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Using IPSec in Windows 2000 and XP, Part 2

Internet Protocol: IP packet headers. vendredi 18 octobre 13

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

How To Industrial Networking

Implementing and Managing Security for Network Communications

Internet Protocol Security IPSec

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Securing IP Networks with Implementation of IPv6

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Virtual Private Network and Remote Access Setup

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

CCNA Security 1.1 Instructional Resource

Virtual Private Networks

FortiOS Handbook IPsec VPN for FortiOS 5.0

Transcription:

IPsec Troubleshooting Dr. Tina Bird tbird@counterpane.com Last modified: 20 minutes ago 1 1

Agenda Building an IPsec Connection Troubleshooting Known Issues 2 2

Building a VPN connection Initial connection request between remote and local machine Authentication process -- may include Diffie-Hellman exchange, strong user authentication, certificate verification Negotiation of session keys and other network characteristics 3 3

Building a VPN connection cont. Establishment of encrypted connection between local and remote machines Data transport between local and remote machines or networks -- HTTP, FTP, telnet, NFS, SMB, etc. 4 4

Building an IPsec Connection Initial connection request (IKE Phase One, Main Mode or Aggressive Mode): verifies machine identities, user authentication if required, keys for Phase Two if required 5 5

Building an IPsec Connection cont. Initial connection request between remote and local machine IKE Phase 1 192.168.30.57.500 > 192.168.167.40.500: udp 990 (ttl 128, id 37896) 192.168.30.57.500 > 192.168.167.40.500: udp 92 (ttl 128, id 38152) 6 6

Building an IPsec Connection cont. Authentication process LDAP certificate exchange 192.168.30.57.1038 > 192.168.174.40.389: s 395784:395784(0) win.. 192.168.174.40.389 > 192.168.30.57.1038: s 1757781809:1757781809(0) ack 395785 win.. 7 7

Building an IPsec Connection cont. IKE Phase Two, Quick Mode: establishes Security Association, including IPsec protocol encryption & packet authentication algorithms keys for bulk data transfer session lifetime 8 8

Building an IPsec Connection cont. Negotiation of session keys and other network characteristics IKE Phase 2 192.168.30.57.500 > 192.168.167.40.500: udp 990 (ttl 128, id 39323) 192.168.30.57.500 > 192.168.167.40.500: udp 92 (ttl 128, id 3958) 9 9

Building an IPsec Connection cont. IPsec connection established, based on requirements of Security Association: Authentication Header, Encapsulating Security Payload, or both Data transfer begins 10 10

Building an IPsec Connection cont. Data transport between local and remote machines or networks 192.168.30.57 > 192.168.167.40: ipproto-50 132 (ttl 128, id 32522) 192.168.30.57 > 192.168.167.40: ipproto-50 132 (ttl 128, id 32778) 11 11

IPsec Connection Phase One Phase Two IKE Main IKE Quick or IKE Aggressive Verify IDs or IKE Quick Negotiate SAs IPsec 12 12

Internet Key Exchange Negotiation protocol used by IPsec peers to agree on security parameters for protected connection Descendant of Internet Security Association Key Management Protocol and Oakley key exchange method 13 13

Internet Key Exchange cont. IKE uses UDP/500. Phase One authenticates sources and destination and establishes a secure channel (if required) to perform SA negotiations Phase Two -- negotiates SA 14 14

Security Association contains all information required to maintain secure connection between two IP-based hosts uniquely identified by SPI example: For access to 10.0.0.0, use ESP with 3DES encryption and HMAC-MD5 for authentication 15 15

Security Association cont. Two SAs required for each network connection, one per IPsec peer (or one inbound, one outbound) Active SAs stored in Security Association Database on each peer 16 16

Cisco-based VPN unknown client 10.2.0.0/24 IP 10.3.0.0/24 Oakland LAN SF LAN oaklandrouter int: 10.2.0.254 ext: 167.131.23.12 Internet corp-router int: 10.1.0.254 ext: 131.17.3.25 sf-router int: 10.3.0.254 ext: 63.98.24.3 SJ Corp LAN 10.1.0.0/24 17 17

Cisco-based VPN cont. Determine IPsec parameters Security parameters Gateway addresses Pre-shared secrets (host authentication) Access control lists (control routing) Configure security policy on routers Apply crypto policy to appropriate interfaces on routers 18 18

Cisco-based VPN cont. IPsec parameters ESP only, tunnel mode for LAN-to-LAN connections 3DES encryption, SHA for hash sj-router is endpoint of all connections (star configuration) 19 19

Cisco-based VPN cont. Define ISAKMP policy for each set of connections: crypto isakmp policy 1 authentication pre-share crypto isakmp key secretkey address 167.131.23.12 20 20

Cisco-based VPN cont. Establish IPsec security parameters: crypto ipsec transform-set config esp-3des esp-shahmac 21 21

Cisco-based VPN cont. Create crypto map entries on all routers: Determine which traffic needs IPsec Determine local and remote VPN endpoints etc. 22 22

Cisco-based VPN cont. Create a static crypto map between sjrouter and the gateways at the remote offices: crypto map sj-oakland 1 ipsec-isakmp set peer 167.131.23.12 set transform-set config match address 100 23 23

Cisco-based VPN cont. Symmetric map on oakland-router: crypto map oakland-sj 1 ipsecisakmp set peer 131.17.3.25 set transform-set config match address 100 24 24

Cisco-based VPN cont. VPN Access Control Lists determine which traffic is routed over the IPsec connection: access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 for SJ-to-Oakland traffic. 25 25

Cisco-based VPN cont. Security associations for traffic from sj-router to oakland-router: SPI 12345 67891 src gate 131.17.3.25 167.131.23.12 dest net 10.2.0.0/24 10.0.1.0/24 dest gate 167.131.23.12 131.17.3.25 protocol ESP ESP encrypt 3DES-SHA 3DES-SHA 26 26

Cisco-based VPN cont. Security associations for traffic from oakland-router to sj-router: SPI 12345 67891 src gate 131.17.3.25 167.131.23.12 dest net 10.2.0.0/24 10.0.1.0/24 dest gate 167.131.23.12 131.17.3.25 protocol ESP ESP encrypt 3DES-SHA 3DES-SHA 27 27

Authentication Header Provides authentication of origin of traffic on a per-packet basis Cryptographically verifies source and destination computers/networks Guarantees that traffic is not altered during transmission IP Protocol 51 28 28

IPsec Sample Configuration CA/X.500 (PKI) IP network 192.68.0.1 10.0.0.1 Remote PC IPsec host 192.68.0.10 Ethernet IPsec security gateway Ethernet FTP server 10.0.0.10 29 29

FTP without AH 192.168.0.10.1035 > 10.0.0.10.ftp: P 25:41(16) ack 31 win 8602 (DF) 10.0.0.10.ftp > 192.168.0.10.1035: P 31:96(65) ack 41 win 8684 10.0.0.10.ftp-data > 192.168.0.10.1036: S 522326774:522326774(0) win 8192 192.168.0.10.1036 > 10.0.0.10.ftp-data: S 126568:126568(0) ack 522326775 win 8760 10.0.0.10.ftp-data > 192.168.0.10.1036:. ack 1 win 8760 10.0.0.10.ftp-data > 192.168.0.10.1036: P 1:12(11) ack 1 win 8760 10.0.0.10.ftp-data > 192.168.0.10.1036: F 12:12(0) ack 1 win 8760 30 30

FTP with AH 192.168.0.10 > 192.168.0.1: ip-proto-51 90 (DF) [tos 0xd] (ttl 128, id 65281) 192.168.0.1 > 192.168.0.10: ip-proto-51 94 (DF) (ttl 127, id 16135) 192.168.0.10 > 192.168.0.1: ip-proto-51 80 (DF) [tos 0xd] (ttl 128, id 2) 192.168.0.1 > 192.168.0.10: ip-proto-51 129 (DF) (ttl 127, id 16391) 192.168.0.1 > 192.168.0.10: ip-proto-51 68 (DF) (ttl 127, id 16647) 192.168.0.10 > 192.168.0.1: ip-proto-51 68 (DF) (ttl 128, id 258) 31 31

Encapsulating Security Payload Protects data confidentiality and integrity via encryption of network data (not just headers) Independent of encryption algorithm Works with symmetric encryption algorithms IP Protocol 50 32 32

FTP with ESP 192.168.0.10 > 192.168.0.1: ip-proto-50 88 (DF) [tos 0xd] (ttl 128, id 52740) 192.168.0.1 > 192.168.0.10: ip-proto-50 88 (DF) (ttl 127, id 37383) 192.168.0.10 > 192.168.0.1: ip-proto-50 80 (DF) [tos 0xd] (ttl 128, id 52996) 192.168.0.1 > 192.168.0.10: ip-proto-50 128 (DF) (ttl 127, id 37639) 192.168.0.1 > 192.168.0.10: ip-proto-50 64 (DF) (ttl 127, id 37895) 192.168.0.10 > 192.168.0.1: ip-proto-50 64 (DF) (ttl 128, id 53252) 33 33

IPsec Troubleshooting Be sure that each segment functions individually before testing complete IPsec system 34 34

IPsec Troubleshooting cont. Verify connectivity between remote machine and local VPN gateway Verify connectivity between local gateway and local network Do you have to configure VPN server as a router explicitly? ping, traceroute, netstat to check connectivity 35 35

IPsec Troubleshooting cont. Key negotiation failures Verify connectivity to Internet Key Exchange server (IKE) UDP/500 Verify that remote machine is sending IKE traffic on source port 500 NAT, port translation at perimeter problematic 36 36

IPsec Troubleshooting cont. Both IPsec gateways must be able to agree on security parameters Compare Security Policy Databases on both ends to be sure encryption/hash algorithms, authentication mechanisms, lifetimes compatible NO_PROPOSAL_CHOSEN 37 37

IPsec Troubleshooting cont. ISAKMP error: no common policy -- *Mar 1 00:34:06.187: ISAKMP (17): SA not acceptable! %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 20.20.20.20 38 38

IPsec Troubleshooting cont. ISAKMP error: CERT-TYPE- UNSUPPORTED IPsec gateway cannot understand encoding of certificate received from remote peer 39 39

IPsec Troubleshooting cont. ISAKMP error: AUTHENTICATION- FAILED IPsec gateway failed to verify the identity of a remote peer Check that auth server is includes both IPsec gateways in authentication database, have valid certs, or preshared secrets are the same 40 40

IPsec Troubleshooting cont. Be sure that authentication server or Certificate Authority is functioning properly -- test from internal network Verify that VPN server can exchange data with certificate authority 41 41

IPsec Troubleshooting cont. If encrypted session is established, but users can t reach private network resources: Is it a name resolution issue -- can they reach network resources by IP address but not by hostname? DNS WINS 42 42

IPsec Troubleshooting cont. Are there firewall rules blocking access between IPsec gateways or between networks? Cisco: router access control lists Linux: ipchains ISAKMP negotiation successful, IPsec connection established, but traffic doesn t get from A to B 43 43

IPsec Troubleshooting cont. If encrypted session is established, but times out after a predictable period of time (3600 sec): verify that all systems have the same lifetimes set for SAs, keys deliberate session disconnect due to inactivity? interoperability issues? 44 44

IPsec Troubleshooting cont. If encrypted session is established and network resources are visible, but not accessible to the user, verify that NT Domain controls aren t blocking them. 45 45

IPsec Troubleshooting cont. tcpdump, a UNIX-based packet sniffing tool, can be used to monitor the progress of a VPN connection being established. Look for successful key negotiation, user authentication, correct routing Be sure all required servers are responding 46 46

IPsec Troubleshooting cont. tcpdump can also verify that VPN is running On endpoints of connection: make sure all traffic is IP 50, IP 51, maybe UDP 500, maybe authentication traffic 47 47

IPsec Known Issues Problems with Path MTU Discovery Bugs in ISAKMP or key regeneration IKE requires known source port NAT breaksipsec 48 48

Path MTU Discovery Symptom: large packets (HTTP, other large file transfers, database apps) do not get transmitted across the VPN, or performance becomes unacceptably slow Problem: IPsec increases size of large packets above supported MTU, requires fragmentation 49 49

Path MTU Discovery cont. Work-around: force smaller packets! Manually configure servers (behind IPsec gateways) for a lower MTU Want size of (data + IPsec) to be below max MTU of gateways 50 50

ISAKMP Problems. Cisco 12.0(6) and related versions of IOS Or multi-vendor IPsec networks IKE fails to negotiate new keys after key lifetime expires Workaround: manually force new keys Solution: harrass your vendors 51 51

IKE and UDP/500 ISAKMP: source anddestport UDP/500 for key management and SA negotiation IPsec gateways will not respond to IKE requests coming from other source ports 52 52

IKE and UDP/500 Workaround: keep remote IPsec systems out of NAT and port translating environments IPsec VPN clients tend to break behind firewalls even if firewall allows IPsec protocols 53 53

NAT breaks IPsec Packet integrity checks fail if headers change between VPN gateways All AH, ESP/transport mode vulnerable ESP/tunnel mode not vulnerable IKE problematic in NAT environments 54 54

NAT breaks IPsec cont. Workarounds: run NAT and IPsec on same gateway Vendor-specific: encapsulate IPsec packets over TCP or UDP Terminate IPsec outside NAT device 55 55

NAT breaks IPsec cont. Dan Harkins, co-author of IKE: NAT is the kind of attack IPsec was designed to detect. 56 56

IPsec Best Practices Use ESP/tunnel mode -- provides authentication/confidentiality of payload and header Configure ESP to perform per-packet authentication 3DES or Blowfish encryption SHA-1 for authentication 57 57

IPsec Tools Patch fortcpdump (versions 3.4 and later) Decodes IKE and some IPsec transactions Timo Rinne (30 June 1999) posted to *BSD development teams 58 58

For more info: VPN Resources on the World Wide Web: http://kubarb.phsx.ukans.edu/~tbird/vpn.html VPN Mailing list: vpn@securityfocus.com 59 59

Please be sure to fill out the course evaluation! 60 60

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information