Friday, July 1, 2016

F5 Lab Guide Set Up

----------------------------------------------------------------------------------------------
F5 Lab Guide Set Up
----------------------------------------------------------------------------------------------



I have to learn and practice iRules. That's why I decided to set up my lab. Below you can find my notes. For some of you it may be easy but I wanted to be clear enough even for people with basic computer/network skills.
----------------------------------------------------------------------------------------------



Required components:

1)VMware Player

2)BIG-IP: BIGIP-11.3.0.39.0-scsi.ova

  https://f5.com/products/trials/product-trials

  You have to select 1 option, register and generate license which will be sent by email (you have to start downloading).

3)Application servers (min 2) - Centos 64-bit (minimal ISO):

  http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1511.iso

4) Client server

  http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Everything-1511.iso

----------------------------------------------------------------------------------------------

Install steps:

1) install VMware Player

   Once you install VMware check what subnet is allocated for your VM interfaces (may be different from what I have):


Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::fcb8:569:6ada:d9cc%50
   IPv4 Address. . . . . . . . . . . : 192.168.80.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c884:6070:5f40:e90d%51
   IPv4 Address. . . . . . . . . . . : 192.168.174.1                  
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :



2) install BIG-IP package

 a) Home->Create a New Virtual Machine and click Import
 b) Accept license and wait couple of minutes
 c) Before you start VM change network settings:
    - select your new VM and click 'Edit virtual machine settings'
    - you should be in the 'Hardware' tab and find 'Network Adapter' (you should have 4)
    - select 1st one (management access) and set: Custom: VMnet8 (NAT)
    - select 2nd one (client interface) and set: Custom: VMnet1 (Host-only)
    - select 3rd one (server interface) and set: Custom: VMnet2
    - click OK

3) install (2x) Linux server (Centos)

 a) Home->Create a New Virtual Machine
 b) Select 2nd option: Installer disc image (iso) and select your image, then click Next
 c) Change default name to Server1/Server2 (just example), then click Next
 d) Akcept Disk settings and click Next
 e) Review settings and click Finish
 f) Select 1st option "Install CentOS 7"
 g) Select desired languge theme and click Continue
 h) Select Date&Time and select your timezone
 i) Select Installation Destination, review it and click 'Done' (top-left corner)
 j) You may change network settings (optional, we will change it during setup)
 k) Click Begin Installation
 l) Select and set a Root Password and click 'Done' (top-left corner)
 m) Wait couple of minutes - installation in progress...
 n) Click Reboot


----------------------------------------------------------------------------------------------

Set-up steps:


*****************************************************************
how to use vi editor:

- once you type: vi filename
- before you can edit you have to type ':i' to enter edit mode
- once you finish click 'Esc' and you will be back in read mode
- to save file: ':w'
- to exit file: ':q'
- to save and exit: ':wq'
*****************************************************************


1) Application server1

  a) set a static IP (you can also do it during installation): 


     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      please check what is your interface name by:
          ls /etc/sysconfig/network-scripts/
     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


     vi /etc/sysconfig/network-scripts/ifcfg-eno16777736

     You need to change following parameters here:

     -BOOTPROTO="static"
    
     and add 3 new:

     -IPADDR=192.168.175.133
     -NETMASK=255.255.255.0
     -GATEWAY=192.168.175.110

   b) add a default gateway

      vi /etc/sysconfig/network-scripts/route-eno16777736

      default 192.168.175.110 dev eno16777736

   c) Web Application  (answer always 'Y')

      - install following packages:

      yum groupinstall "Web Server"
      yum install httpd
      yum install php
      yum install php php-mysql

      - set up Apache:

      vi /etc/httpd/conf/httpd.conf

      Find: #ServerName www.example.com:80 and add below:

      ServerName localhost

      - restart httpd service:

      service httpd restart

      or you can also restart your machine:

      shutdown -r now

    d) add a test webpage (otherwise you will see only 'welcome' page from Apache')

      cd /var/www
      vi index.html

      and add "Server1 IP address 192.168.175.133"

      so once you hit this server you will know on which one you are.


2) Application server2

     Repeat the same steps and modify IP address to 192.168.175.134


3) BIG-IP

     Default passwords: GUI admin/admin
                        CLI root/default
   
     https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13148.html


     a) set management IP:

       modify /sys global-settings mgmt-dhcp disabled
  
       create /sys management-ip 192.168.174.100/24

     b)  you can confirm you have correct IP:

        list /sys management-ip

     c) check what is your management route:

        list /sys management-route

     d) set correct default route for management interface:

        modify /sys management-route default gateway 192.168.174.1

     e) set admin password:

        modify auth user admin password XXXXXX

     f) save your settings:

        save /sys config partitions all
    
     g) open CLI (console or ssh)

        ssh 192.168.174.100

        and activate licenses:


       get_dossier -b XXXXX-XXXXX-XXXXX-XXXXX-XXXXXX

       copy that dossier and paste here:  https://secure.f5.com/Infopage/index.jsp

       once you generate license just download it and add to the file: /config/bigip.license

       vi /config/bigip.license

       and paste that license.Reload license:

       reloadlic

       Access WebGUI and finish activation process.


     h) add VLANs (from Web GUI)

        Menu: Network->VLANs: click Add with any name like Vlan1 and allocate physical interfaces 1.1 (untagged)
        Menu: Network->VLANs: click Add with any name like Vlan2 and allocate physical interfaces 1.2 (untagged)

     i) enable physical interfaces:

        Menu: Network->Interfaces, interfaces 1.1 and 1.2 should be enabled now

     j) add Self IPs:

        we should have one IP assigned for server's network and one for client's network:

        Menu:Network->Self IPs->Create:

        Name: serverNetwork
        IP: 192.168.175.110 (default gateway for my servers)
        Netmask: 255.255.255.0
        Vlan: vlan2
        
        Name: ClientNetwork
        IP: 192.168.80.110
        Netmask: 255.255.255.0
        Vlan: vlan1


     k) we are ready now to configure VIP

        - add a new Pool with 2 members: Menu: Local Traffic->Virtual Server->Pools select Add
        - add a new name PoolOfServers (example)
        - select http Healt Monitor
        - fill data of the 1st application server: node name: Server1, Address: 192.168.175.133, Port: 80        
        - click Add in the New Members section
        - repeat the same with 2nd server (192.168.175.134)
        - click Finished
        - add VIP: menu: Local Traffic->Virtual Servers->Virtual Server List and click Create
        - add: Name: VIP-test1, Address: 192.168.80.150, Service Port: 80, HTTP profile: http, default pool: PoolOfServers
        - click Finished
       
 
---------------------------------------------------------------------------------------------

Now you should be able to test the VIP (192.168.80.150) but your client should be in Vmnet1 in my case (192.168.80.0/24)

If you have any problems with understanding or something is unclear just let me know. I'll try to help you.

---------------------------------------------------------------------------------------------

Wednesday, February 3, 2016

IKEv1 aggresive mode

I know that IKEv2 is getting popular but still IKEv1 has a huge presence in production networks. There are many reasons but I’m not going to focus on them. I would rather focus on one issue I see from time to time: ikev1 and an aggressive mode. Just to remind you, there are two modes of ikev1: aggressive and main. The first one is much faster, only three messages are exchanged, but it isn’t secure as the main mode (with six messages). The main problem with the aggressive mode is the first two messages  contain data which may help to perform attack on your VPN.

For this test I set up VPN on ASA with ‘aggressive mode’ enabled:

ciscoasa# sh run crypto
crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
crypto map MAPA 10 match address ACL
crypto map MAPA 10 set peer 192.168.111.128
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface inside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ciscoasa#
ciscoasa# sh run tunnel
tunnel-group 192.168.111.128 type ipsec-l2l
tunnel-group 192.168.111.128 ipsec-attributes
 ikev1 pre-shared-key *****
ciscoasa#

To be 100% sure the aggressive mode is enabled:

ciscoasa(config)# no crypto ikev1 am-disable

There is one tool, quite old but still very useful: ike-scan  



Let’s try to scan my ASA:

 
 

You can use the flag ‘-P’ to see hash of the PSK:



The flag ‘-P’ is valid only with the aggressive mode as the main mode doesn’t reply with hash in 2nd message. You can also save the hash directly to the file (‘-Pfilename.txt), what is useful when you run a script:



 As we can see the file contain the hash:

  
Then we can use another tool (psk-crack) to decode the hash. It took just 10 minutes to find the pre-share-key:



As you can see it didn’t take too much time to find out what is your PSK.  I know my PSK was simple but you can use a dictionary attack on much powerful machine. One lesson from today’s lab: never use the aggressive mode and migrate to PKI if possible. 


 

F5 Lab Guide Set Up

---------------------------------------------------------------------------------------------- F5 Lab Guide Set Up -----------------------...