VMware: Creating a Storage Encryption Policy

KB ID 0001471

Problem

This is essentially part-two of deploying encrypted virtual machines, in a vSphere VMware (6.5 and above) environment. Back in part-one we deployed a KMS server and registered it with vCenter. Now we will create a storage policy that enforces encryption, then apply that policy to a virtual machine.

Solution

While logged into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next.

Next.

Add > Encryption. Note: On some versions of vCenter, Select Encryption > Custom.

Accept the defaults > Next.

Untick “Use rule-sets in the storage policy” > Next.

This just shows you which ‘Datastores‘ are compatible, (it’s not going to encrypt them, or format them, or anything!) > Next

Finish.

Apply an Encryption Storage Policy to a VM

There are a couple of ways to do this. Before you start, make sure the VM is in a compatible Datastore >  Right click the (powered off) VM > VM Polices > Edit VM Storage Policies > Select VM Home (to encrypt the entire VM), or the individual disks (to encrypt them only) > Change the policy to the encrypted one you just created > OK.

Or to encrypt the drives manually > Right Click the VM > Edit Settings > Expand the hard drive > VM Storage Policy > Change the policy to the one you created above. (Note: this only encrypts the drives, NOT the entire VM).

Check Virtual Machine Encryption

If a VM is encrypted then it will tell you on its ‘Virtual Hardware‘ tab, you will also notice that encrypted drives have a small ‘padlock’ over them.

Additionally: Under VM Options, you will notice that Encrypted vMotion is now set to ‘Required‘.

You can also tell at a glance from the virtual machines ‘Summary tab‘.

Things You Need To Know About Encrypted Virtual Machines

  • To encrypt a VM it must be Powered off.

The attempted operation cannot be performed in the current state (“Powered On”).

  • To encrypt an VM it must have No Snapshots.

Invalid virtual machine configuration.
Cannot change encryption state with virtual machine snapshots present.

  • Fault Tolerance is Not Supported.

Unsupported virtual machine configuration for Fault Tolerance

  • vSphere replication is Not Supported.
  • Cloning Is Supported, but the cloned VM has the same encryption keys as the source.
  • Snapshots Are Supported, but, you will see the following error if you attempt to snapshot of an encrypted VM.

The virtual machine is encrypted and guest memory cannot be saved.

You need to ‘untick’, Snapshot the virtual machine memory.

  • You cant ‘Suspend‘ an encrypted virtual machine.

The virtual machine is encrypted and cannot be suspended. Failed to suspend the virtual machine. Incorrect virtual machine state.

  • You cannot export an encrypted virtual machine to OVF file.

Provider method implementation threw unexpected exception: %s VapiStructureProxy.cause
The operation failed due to the operation is not supported on the object

Related Articles, References, Credits, or External Links

NA

VMware vSphere Virtual Machine Encryption

KB ID 0001470

Problem

Other that learn this for an exam I’ve never had to deploy this in anger. So when I heard we had a customer at work who wanted to take a look at it I was quite keen to take a look.

To encrypt a VM you need to have an additional KMS (Key Management server) which VMware do not provide. They do provide a list, so theres no point me posting a list that will be out of date in a couple of weeks. Our client expressed a preference for HyTrust, so that’s what I ran with

WARNINIG: You need vCenter 6.5 or above to do VM encryption

Deploy HyTrust KMS Server

At time of writing the current version is 4.2.1 you can get a 60 trial if you want to give it a test.

Pull down the appliance and deploy the OVF into your environment;

VMware vSphere – How to Import and Export OVF and OVA Files

Go get a coffee, when deployed, connect to the console set a console password, and follow the instructions until it tells you to connect via a browser.

Connect via a browser (default username and password is secroot), Change the password when prompted, and proceed to KMIP. By default the service is disabled so enable it. (Take note of the port number, 5696 you will ned this later!)

Client Certificates > Action > Create Certificate > Give it a name, and leave the password section blank.

Actions > Download certificate > Save the Zip file, if you open it you will find two PEM files, (you only actually need the one that has the same name as you used above).

Over on your vCenter  > Select the vCenter > Configure > Key Management Servers > Add.

Supply a name, the IP address of the appliance, and the port number > OK > Yes.

Trust.

Select the KMS > Establish trust with KMS.

Upload a certificate and private key > OK.

Paste in the SAME PEM FILE into both top and bottom windows. (The one with the name you chose, and downloaded earlier) > OK.

If you have done everything right all the status lights should ‘go-green’

You can now create a VM Storage Encryption Policy. (Well you can create one first, but without a KMS server, nothing will get encrypted).

Part Two: VMware: Creating a Storage Encryption Policy

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Configuring Switch to Switch MACSEC

KB ID 0001000 

Problem

My colleague had to set this up on the test bench today, and it looked infinitely more interesting that what I was doing, so I grabbed my console cable, and offered to ‘help’.

This was done on two Cisco Catalyst 3560-X switches, each with a 10G Service Module (C3KX-SM-10G), and 1Gb SFP modules (Note: Not 10Gb ones, this will become important later).

Solution

1. First hurdle was, when we tried to add the first command to the interface ‘cts man’ it would not accept the command, you need to make sure you are running either IP Base, or the IP Services feature set.

Note: We are running the universal IOS image this allows us to do the following;

[box]

Switch(config)#license boot level ipbase
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.

You hereby acknowledge and agree that the product feature license
is terminable and that the product feature enabled by such license
may be shut down or terminated by Cisco after expiration of the
applicable term of the license (e.g., 30-day trial period). Cisco
reserves the right to terminate or shut down any such product feature
electronically or by any other means available. While alerts or such
messages may be provided, it is your sole responsibility to monitor
your terminable usage of any product feature enabled by the license
and to ensure that your systems and networks are prepared for the shut
down of the product feature. You acknowledge and agree that Cisco will
not have any liability whatsoever for any damages, including, but not
limited to, direct, indirect, special, or consequential damages related
to any product feature being shutdown or terminated. By clicking the
"accept" button or typing "yes" you are indicating you have read and
agree to be bound by all the terms provided herein.

ACCEPT? (yes/[no]): yes
Switch(config)#
Mar 30 01:43:18.513: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name
= c3560x Next reboot level = ipbase and License = ipbase

[/box]

Then reload the switch.

2. Then this jumped up and bit us;

[box]

Mar 30 01:32:07.400: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Te1/1)
Mar 30 01:32:19.379: %PLATFORM_SM10G-3-SW_VERSION_MISMATCH: The FRULink 10G Service Module (C3KX-SM-10G) in switch 1 has a software version that is incompatible
with the IOS software version. Please update the software. Module is in pass-thru mode.

[/box]

3. If you issue the following command, you can see the difference (highlighted).

[box]

Switch#show switch service-modules
Switch/Stack supports service module CPU version: 03.00.76
                          Temperature                     CPU
Switch#  H/W Status       (CPU/FPGA)      CPU Link      Version
-----------------------------------------------------------------
 1       OK               41C/47C         ver-mismatch  03.00.41


Switch#

[/box]

4. So a quick download from Cisco later, with the file on a FAT32 formatted USB drive.

[box]

Switch#archive download-sw usbflash0:/c3kx-sm10g-tar.150-2.SE6.tar
examining image...
extracting info (100 bytes)
extracting c3kx-sm10g-mz.150-2.SE6/info (499 bytes)
extracting info (100 bytes)

System Type: 0x00010002
Ios Image File Size: 0x017BDA00
Total Image File Size: 0x017BDA00
Minimum Dram required: 0x08000000
Image Suffix: sm10g-150-2.SE6
Image Directory: c3kx-sm10g-mz.150-2.SE6
Image Name: c3kx-sm10g-mz.150-2.SE6.bin
Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
FRU Module Version: 03.00.76

Updating FRU Module on switch 1...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!

Updating FRU FPGA image...

FPGA image update complete.
All software images installed.
Switch#

[/box]

Configuring One Switch Uplink for MACSEC

1. Notice I’m configuring GigabitEthernet 1/2 NOT TenGigabitEthernet 1/1, this is because I’m using 1Gb SFP’s, both interfaces are listed in the config! (This confused us for about twenty minutes). We are not using dot1x authentication, we are simply using a shared secret password (abc123). Note: This has to be a hexedecimal password i.e numbers 0-9 and letters a-f.

[box]

Switch(config)#interface GigabitEthernet 1/2
Switch(config-if)#cts man
% Enabling macsec on Gi1/2 (may take a few seconds)...

Switch(config-if-cts-manual)#no propagate sgt
Switch(config-if-cts-manual)#sap pmk abc123 mode-list gcm-encrypt
Switch(config-if-cts-manual)#no shut
Switch(config-if)#
Mar 30 01:59:03.800: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 30 01:59:04.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
rnet1/2, changed state to down
Mar 30 01:59:05.805: %LINK-3-UPDOWN: Interface GigabitEthernet1/2, changed state
to down
Mar 30 01:59:08.339: %LINK-3-UPDOWN: Interface GigabitEthernet1/2, changed state
to up
Mar 30 01:59:09.329: %CTS-6-PORT_UNAUTHORIZED: Port unauthorized for int(Gi1/2)
Mar 30 01:59:10.016: %CTS-6-PORT_AUTHORIZED_SUCCESS: Port authorized for int(Gi1/2)
Mar 30 01:59:11.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthe
rnet1/2, changed state to up

[/box]

Configuring A Port-Channel Switch Uplink for MACSEC

1. Configure MACSEC on both physical interfaces, before you ‘port-channel’ them. The second interface (when using 1GB SFP’s), is GigabitEthernet 1/4.

[box]

!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
!
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk abc123 mode-list gcm-encrypt
channel-group 1 mode on
!

interface GigabitEthernet1/4
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk abc123 mode-list gcm-encrypt
channel-group 1 mode on
!

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Steve Housego (www.linevty.com) for doing 97% of the hard work, whilst being slowed down by my ‘help’.

Implementing GDOI into DMVPN

KB ID 0000956 

Problem

Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site.

One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke site, it will dynamically build a VPN tunnel to that spoke site.

That’s great right? Well it’s pretty cool, but there is a downside. There is a slight ‘lag’ while that dynamic VPN is established, for normal network traffic you probably wont even notice, but if you are sending streaming media, or voice traffic then it becomes more of a problem.

So if we had a system where all the routers have all the same settings, the hub router wouldn’t need to ‘broker’ the initial connection and the routers get all their VPN settings from a central ‘Server’. Well that’s what GDOI gives us, we set up a router as a central ‘Key Server’ and all the other GDOI ‘Group Members’ register with the key server, and get all their settings.

So I’ll use the same network that I built the DMVPN on, I’ve added another router that will be the ‘Key Server’, other than that the topology is the same.

Note: The GDOI Key Server, cannot run on the DMVPN hub router.

Solution

GDOI Key Server Setup

1. Firstly setup the requirements for ISAKMP phase 1. Note: here I’m using pre-shared keys, this does not scale well if you have a lot of sites, you might want to look at a PKI solution and use certificates instead.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

KS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
KS(config)#crypto isakmp policy 10
KS(config-isakmp)#encr aes
KS(config-isakmp)#authentication pre-share
KS(config-isakmp)#group 2
KS(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
KS(config)#

[/box]

2. Then setup IPSEC phase 2 requirements. With a transform-set and a profile.

[box]

crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac

crypto ipsec profile PF-GDOI
set transform-set TS-GDOI

EXAMPLE

KS(config)#crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac
KS(cfg-crypto-trans)#crypto ipsec profile PF-GDOI
KS(ipsec-profile)#set transform-set TS-GDOI
KS(ipsec-profile)#

[/box]

3. The Key server will use its certificate for authentication, if you DO have a PKI solution and this router has already enrolled to it then you can skip this step. If not you need to generate a LOCAL certificate on the key server. (Note: This requires the device to have a hostname and domain name set).

[box]

ip domain-name testbench.local
crypto key generate rsa modulus 2048

EXAMPLE

KS(config)#ip domain-name testbench.local
KS(config)#crypto key generate rsa modulus 2048

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
*Mar 1 00:17:13.591: %SSH-5-ENABLED: SSH 1.99 has been enabled
KS(config)#

[/box]

4. To setup the key server, create a group (GDOI-VPN) and give it an identity number,all members of the group will share this number. It used the profile we created above, and will apply encryption based on ACL 123 (we will create in a minute). Finally it sets the IP that it will be used as the key servers (this is the IP in use on FastEthernet 0/0).

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2

EXAMPLE

KS(config)#crypto gdoi group GDOI-DMVPN
KS(config-gdoi-group)#identity number 999
KS(config-gdoi-group)#server local
KS(gdoi-local-server)# rekey retransmit 10 number 2
KS(gdoi-local-server)# rekey authentication mypubkey rsa rsa
KS(gdoi-local-server)# rekey transport unicast
KS(gdoi-local-server)# sa ipsec 10
KS(gdoi-sa-ipsec)# profile PF-GDOI
KS(gdoi-sa-ipsec)# match address ipv4 123
KS(gdoi-sa-ipsec)# replay counter window-size 64
KS(gdoi-sa-ipsec)# address ipv4 5.5.5.2
KS(gdoi-local-server)#

[/box]

5. Create the ACL we specified above, this ACL will get downloaded to all the group members. As will the VPN profile, they will then apply that profile to traffic defined in the ACL. It’s an ‘interesting traffic ACL, (if you are used to working with VPN’s).

[box]

access-list 123 permit gre any any

EXAMPLE

KS(config)#access-list 123 permit gre any any
KS(config)#

[/box]

Setup GDOI Group Members

Note: These settings are the same for the DMVPN hub router and all the spoke routers.

6. As above we specify a matching phase 1 policy.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)#encr aes
Branch1(config-isakmp)#authentication pre-share
Branch1(config-isakmp)#group 2
Branch1(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
Branch1(config)#

[/box]

7. Then join the router to the GDOI group.

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2

EXAMPLE

Branch1(config)#crypto gdoi group GDOI-DMVPN
Branch1(config-gdoi-group)#identity number 999
Branch1(config-gdoi-group)#server address ipv4 5.5.5.2
Branch1(config-gdoi-group)#exit

[/box]

8. Then use that group to create a ‘crypto map’, and apply that map to the public interface that ‘faces outwards’. Note: Normally when applying encryption to DMVPN you would apply your crypto to the tunnel interface, with GDOI you do NOT.

[box]

crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
interface FastEthernet0/0
crypto map CM-GDOI

EXAMPLE

Branch1(config)#crypto map CM-GDOI 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
Branch1(config-crypto-map)#set group GDOI-DMVPN
Branch1(config-crypto-map)#interface FastEthernet0/0
Branch1(config-if)#crypto map CM-GDOI
*Mar 1 05:11:31.546: %CRYPTO-5-GM_REGSTER: Start registration to KS 5.5.5.2 for group GDOI-DMVPN using address 2.2.2.1
*Mar 1 05:11:31.582: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON

[/box]

9. Now I could add a route to my DMVPN network, with a static statement (i.e. ip route 192.168.0.0 0.0.255.255 Tunnel0), but I’m using EIGRP anyway, so I can just advertise the DMVPN network into my EIGRP group.

[box]

router eigrp 20
network 192.168.0.0

EXAMPLE

Branch1(config)#router eigrp 20
Branch1(config-router)#network 192.168.0.0
Branch1(config-router)#exit
Branch1(config)#

[/box]

Testing GDOI

[box]

Branch1#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: port 848
IKE SA: local 2.2.2.1/848 remote 5.5.5.2/848 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Branch1#

Branch1#show crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-DMVPN
    Group Identity           : 999
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 5.5.5.2
    Group Server list        : 5.5.5.2

    GM Reregisters in        : 2042 secs
    Rekey Received           : never


    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS 5.5.5.2:
   access-list  permit gre any any

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x93842CD3(2474912979)
        transform: esp-aes esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2197)
        Anti-Replay : Disabled

[/box]

Complete GDOI with DMVPN Configs

Below I’ll show the configs, with the GDOI config highlighted in Red and the DMVPN config highlighted in blue.

[box]

GDOI Key Server Config

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac 
!
crypto ipsec profile PF-GDOI
set transform-set TS-GDOI
!
crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 5.5.5.2 255.255.255.252
speed auto
half-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 20
network 5.5.5.0 0.0.0.3
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 123 permit gre any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

[/box]

DMVPN Hub Server Config

[box]


version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname MainSiteRTR
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model 
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef ! no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive 
log config 
hidekeys 
! 
crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
 
!
crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
interface Tunnel0 
ip address 192.168.0.1 255.255.255.0 
no ip redirects 
ip nhrp map multicast dynamic 
ip nhrp network-id 1 tunnel source 1.1.1.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 172.16.1.1 255.255.0.0 
duplex auto 
speed auto 
! 
interface FastEthernet0/1 
ip address 1.1.1.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet1/0 
ip address 5.5.5.1 255.255.255.252 
duplex auto 
speed auto 
! 
router eigrp 20 
network 1.1.1.0 0.0.0.3 
network 5.5.5.0 0.0.0.3 
network 172.16.1.0 0.0.0.255 
network 192.168.0.0 
no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 
! 
no ip http server 
no ip http secure-server 
! 
no cdp log mismatch duplex 
! 
control-plane 
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end 

Branch (Spoke) Routers 

version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Branch1 
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef 
! 
no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive log 
config hidekeys 
! 
 crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 
!
 crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
 crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
 interface Tunnel0 ip address 192.168.0.2 255.255.255.0 
no ip redirects 
ip nhrp map 192.168.0.1 1.1.1.1 
ip nhrp map multicast 1.1.1.1 
ip nhrp network-id 1 
ip nhrp nhs 192.168.0.1 tunnel source 2.2.2.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 2.2.2.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet0/1
ip address 172.17.1.1 255.255.0.0
duplex auto 
speed auto 
! 
router eigrp 20 
network 2.2.2.0 0.0.0.3 
network 172.17.0.0 
network 192.168.0.0
 no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 
! 
no ip http server 
no ip http secure-server 
! 
control-plane
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end

[/box]

Related Articles, References, Credits, or External Links

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

Using OSPF over DMVPN

ASA 5500 AnyConnect – Change Preferred Encryption Cipher Order

KB ID 0001058 

Problem

A few days ago I wrote about disabling SSL v3.0 to force your clients to connect with the more secure TLS v1.0. But what if your AnyConnect clients chose to connect with a weaker encryption cipher? The ciphers your firewall offer (by default) will vary depending on what OS your ASA is running.

Solution

1. To see what your cipher you are connected with look on the statistics tab, below we are connecting with the AES 128 encryption protocol and using SHA1 for hashing.

2. Where as here we are connecting with the more secure AES 256 and using SHA1 for hashing.

2. I force this by use of the ‘ssl encryption {option 1} {option 2} {etc.}’ approach. Below the first command indicated had AES 128 as the first encryption cipher, and the second command has AES 256, by specifying which order, you specify the order that the ASA offers the remote AnyConnect client.

WARNING: Removing ciphers can cause problems connecting to ASDM see this article.

Ciphers supported by AnyConnect 4

TLS 1.3 is supported in the software, but not supported on ASA until version 9.3(2)

  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
  • AES256-SHA256
  • AES128-SHA256

 

 

Related Articles, References, Credits, or External Links

NA