Skip to main content

Posts

Showing posts from 2016

F5 Lab Guide Set Up

---------------------------------------------------------------------------------------------- F5 Lab Guide Set Up ---------------------------------------------------------------------------------------------- I have to learn and practice iRules. That's why I decided to set up my lab. Below you can find my notes. For some of you it may be easy but I wanted to be clear enough even for people with basic computer/network skills. ---------------------------------------------------------------------------------------------- Required components: 1)VMware Player 2)BIG-IP: BIGIP-11.3.0.39.0-scsi.ova   https://f5.com/products/trials/product-trials   You have to select 1 option, register and generate license which will be sent by email (you have to start downloading). 3)Application servers (min 2) - Centos 64-bit (minimal ISO):   http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1511.iso 4) Client server   http://isoredirect....

IKEv1 aggresive mode

I know that IKEv2 is getting popular but still IKEv1 has a huge presence in production networks. There are many reasons but I’m not going to focus on them. I would rather focus on one issue I see from time to time: ikev1 and an aggressive mode. Just to remind you, there are two modes of ikev1: aggressive and main. The first one is much faster, only three messages are exchanged, but it isn’t secure as the main mode (with six messages). The main problem with the aggressive mode is the first two messages  contain data which may help to perform attack on your VPN. For this test I set up VPN on ASA with ‘aggressive mode’ enabled: ciscoasa# sh run crypto crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac crypto map MAPA 10 match address ACL crypto map MAPA 10 set peer 192.168.111.128 crypto map MAPA 10 set ikev1 transform-set TS crypto map MAPA interface inside crypto ikev1 enable inside crypto ikev1 policy 10  authentication pre-share  encryption 3des  hash md5...