EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server).
I’ve called this EZVPN revisited, because this is a technology I’ve talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work properly. Last week a client was asking me about buying a 5505 for his home, and putting a VPN into his place of work. Obviously he did not have a static IP at home, which was why I suggested EZVPN.
So it’s time to ‘Man Up’ and get to grips with the CLI. In the example below my corporate LAN is behind a Cisco ASA 5515-X, and my ‘Home Office’ is behind a Cisco ASA 5506-X, (you can use a 5508-X as well, or an old 5505).
Solution
So How does EZVPN Work? Well there’s no separate/special technology, it’s a good old fashioned Client IPSEC VPN. The one we used to use the OLD IPSEC VPN client for, (yes the one that went end of life – in 2011!)
But instead of using a piece of software to supply the username/password and the group/pre-shared-key, you configure a hardware device to supply those details. This enables the hardware device to bring up a software client VPN session. There are two methods of doing this, Client Mode and Network Extension Mode (NEM).
Client Mode: Works exactly like the VPN client software, and leases an IP address from a pool of IP addresses supplied by the ASA, (or a DHCP server).
Network Extension Mode: This works like a ‘proper’ site to site VPN, insofar as, all the IP addresses on the client/remote site can be addressed from the main site.
I’m going to use Network Extension Mode for this example, I’m also going to enable ‘Split tunnelling’ so that only VPN traffic goes over the VPN.
Remote EZVPN Client WARNING
The client that ‘dials in’ cannot be running any other VPN solution. In fact it can’t even have IKE policies defined, (even if they are not in use).
My interfaces are called inside and outside, yours might be different!
Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP), or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
I have not enabled PFS. (If I had it would have been in the crypto map).
To add another site in Client Mode you would simply add another username and password, on the EZVPN server. With Network Extension Mode then you would add an object and NAT exemption on the main site, then setup a new username and password for that site like so;
Mostly my conversion to Windows 8 has been pretty painless, the only thing that wont work is the VMware VI client cant open a console session to the VMs on my ESX server.
Error
The VMRC console has disconencted…attempting to reconnect
This happens because the IE10 that comes with Windows 8 does NOT LIKE the requests the VI client is sending to the Internet Explorer plug-in.
Update 08/03/13 – This problem has now been fixed! Download the latest 5.1 version of the VI client. (see screenshot).
Solution
Work-Around 1 Use VMware workstation (Note: scroll down for a permanent fix)
Until either Microsoft or VMware change something then we are stuck! however there is a work around. if you have VMware Workstation (download the trial it will keep you ticking over till the problem is fixed!).
1. Launch VMware workstation > File > Connect to Server > Enter your ESX/vCenter server details > Connect.
Note: You may need to accept the certificate warning if you are using self signed certificates.
2. Now you can open a console session to your virtual machines.
Work-Around 2 Use VMware Guest Console
Download and run VMware Guest Console > Connect to to a host or vCenter, and you can access the guest machines consoles from there.
Permanent Fix
Sorry, the only way to fix this (at time of writing) is to upgrade to vSphere 5.1 AND install the 5.1 version of the vSphere client. (You can’t point the 5.1 client at a 5.0 host, it automatically launches the 5.0 version of the VI client).
Note: You will need to update vCenter to 5.1 as well for that to work!
Problem Resolved
Update to the latest VI client, and the problem will cease.
Related Articles, References, Credits, or External Links
I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.
Solution
1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.
2. Locate and enable ‘VM serial port connected over network’ > OK.
3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.
4. Connect via Network > Next.
5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.
Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.
6. Review the settings > Finish.
7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).
Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).
8. I’m in and working.
Related Articles, References, Credits, or External Links
Seen when using WDS on Windows Server 2008 (and 2008 R2). When attempting to PXE boot a client machine, it sucessfully gets an IP address. But it times out at the TFTP stage.
This is a common occurance if the WDS server is also a DNS server. It happens on machines that have had the MS08-037 security update installed. Basically the ports that WDS needs are being reserved for DNS.
Solution
1. On the WDS server > Start > in the search/run box type regedit {enter}.
By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.
1. Connect to the the firewall (see here for instructions).
2. Login and go to enable mode.
[box]
User Access Verification
Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********
[/box]
3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.
The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).
[box]
PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#
[/box]
4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.
Finally save your hard work with a “write mem” command.
[box]
PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13
9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#
The newest versions of the AnyConnect client now show you the following;
If you are seeing this you’re using the (default) self signed certificate, or you connected to an IP address rather than the FQDN. But unlike before, you can now ‘lower’ the security so it does not warn you every time.
Solution
1. From the warning screen (shown above) select ‘Change Settings…’.
2. Untick the ‘Block connections to untrusted servers’ option.
Or if you are on OSX
3. Now when you connect, you get the option of suppressing the warnings for this VPN connection.
Related Articles, References, Credits, or External Links
I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;
The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.
Solution
Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;
[box]
WHAT IT SHOULD LOOK LIKE
Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#
[/box]
In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.
If you are missing both (I was post upgrade)
Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
[/box]
If you are missing the address-pool command
The IP pool used, is defined in the tunnel group, (in the general-attributes section).
[box]
HERE THE POOL REFERENCE IS MISSING;
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#
TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#
WHAT IT SHOULD LOOK LIKE
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#
This happened because (pre migration) I had the following command in the firewall config;
[box]
ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0
[/box]
The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.
Related Articles, References, Credits, or External Links
I only tend to use AnyConnect for VPN. So while I was at a clients site the other week, I wanted to jump onto my test servers at home and was greeted by this;
“The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.”
Solution
I was slightly confused because I had authenticated to the clients wireless network, and was happily browsing the Internet.
As it turns out when the AnyConnect service has started (When I opened my laptop), I had not yet authenticated, (they have a sponsored wireless access procedure).
1. Windows Key+R > services.msc > locate the ‘Cisco AnyConnect Secure Mobility Agent’.
2. Restart the service and try again.
Related Articles, References, Credits, or External Links