Setup a Site to Site IPsec VPN With Strongswan & Meraki MX (IKEv1)

Tags

Azure, Azure VPN Gateway, IKEv1, Meraki, Site2Site VPN, StrongSwan

Recently I am trying to build Site 2 Site IPSEC VPN with Azure VPN gateway and Meraki MX firewall. Meraki start supporting (27th May 2019) IKEv2 in their beta firmware MX 15.13 but it’s not stable.

Please check https://community.meraki.com/t5/Security-SD-WAN/Azure-VPN-IKEv2-intermittent/m-p/47688#M12029 and https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/48333#M12197

Azure Policy Based VPN gateway (IKEv1) is ok but it only suppotrs one Site 2 Site VPN tunnel.

To overcome the issue; I have created one Ubuntu Server which works as VPN gateway and added User-defined route to route all VPN traffic via Ubuntu Server.

A. Azure Configuration

1. Create a virtual machine. I my case I have created VM with Ubuntu 18.04 LTS with following specification

2. After creating VM go to VM > Networking > Network Interface and Enable IP forwarding settings

3. From NSG make sure UDP/500 and UDP/4500 has been allowed.

4. Create Route Table. 192.168.100.0/24 is the remote subnet and 10.0.0.9 is the IP address of Ubuntu Server.

5. Make sure you associate it with existing network/VNET

Continue reading →

Configure Express Route and Site-to-Site coexisting connections

Tags

Azure, Express Route, IPSEC, Meraki

 

We can now configure Express Route and Site-To-Site VPN connection that coexist. Can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

There are some limitation and restriction; for details please check:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

In this example I already have VPN Gateway configured with /24 Gateway Subnet

 

Now will create a New VPN Gateway for IPSEC

Step 1: Get the VNET, Gateway Subnet details

$vnet = Get-AzVirtualNetwork -Name SEGResourceGroup-vnet -ResourceGroupName SEGResourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

Step 2: New Public IP address and assign it to VPN gateway

$gwpip= New-AzPublicIpAddress -Name SEG-GatewayVPNPublicIP -ResourceGroupName SEGResourceGroup -Location australiaeast -AllocationMethod Dynamic
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name SEG-GatewayVPNPublicIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step 3: Now create site-to-site VPN gateway

New-AzVirtualNetworkGateway -Name SEG-GatewayVPN -ResourceGroupName SEGResourceGroup -Location australiaeast -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard

Verify the VPN Gateway configuration. Important things to check:

GatewayType: VPN

VPNType: RouteBased

VPNClientConfiguration: IkeV2

Step 4: Create the Local Network Gateway Continue reading →

Oxidized ~ Network Device Configuration Backup

Tags

backup, cisco backup, juniper backup, network device config backup, oxidized, rancid alternatives

Oxidized is a network device configuration backup tool. It’s a RANCID replacement!

For details please check : https://github.com/ytti/oxidized

1. Install all required packages and gems.

sudo apt-get install ruby ruby-dev  libsqlite3-dev libssl-dev pkg-config cmake libssh2-1-dev tree -y
sudo gem install oxidized
sudo gem install oxidized-script oxidized-web

2. It is recommended practice to run Oxidized using its own username. This username can be added using standard command-line tools:

sudo useradd -m -d /home/oxidized oxidized
sudo su - oxidized

3. To initialize a default configuration in your home directory ~/.config/oxidized/config, simply run oxidized once.

oxidized

Continue reading →

SSH using public key authentication to IOS

Tags

cisco, pki

ip domain-name router.fakrul.com
!
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!
username fakrul privilege 15 secret R@nDomp@$$worD!
!
ip ssh pubkey-chain
 username fakrul
 key-string
 ! copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
 exit
 exit
!
ip ssh server algorithm authentication publickey !enable key based authentication only
!
line vty 0 4
transport input ssh
privilege level 15

Enable IPv6 in OpenVPN

Tags

IPv6, OpenVPN

In my earlier post (OpenVPN in Ubuntu 14.04) I have gone through the steps to install OpenVPN in Ubuntu; that was only for IPv4. To enable IPv6 in OpenVPN do the followings:

OpenVPN Server IP : 2001:df2:ee00:ee00::10/64

2001:df2:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get one prefix from 2001:df2:ee00:abcd::/64 block.

Step 1: We need to edit OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following :

server-ipv6 2001:0df2:ee00:abcd::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2001:0df2:ee00:abcd::1 2001:0df2:ee00:abcd::2
push "route-ipv6 2001:0df2:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

/etc/init.d/openvpn restart

Try connect your OpenVPN client. Test the IPv6 reachablity by accessing http://test-ipv6.com/

Note:
1. To make IPv6 forwarding persistent remember, in /etc/sysctl.conf uncomment:
net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:df2:ee00:abcd::/64 to you OpenVPN Server. I have done this from my cisco router

ipv6 route 2001:df2:ee00:abcd::/64 2001:df2:ee00:ee00::10