I’ve always said that, when it comes to Cisco, my brains go boom, temperature increases and I end up having 30 Firefox tab trying to search on cisco.com what on earth some kinky cisco-ish feature does and _how_ precisely.

After the latest IPsec adventure with Cisco’s Customer Support (CCIE Security) which advised me to run commands that were not even available on my IOS (yes, I had previously given them my config and IOS version), I said that whenever I have Cisco-related issues I go straight to my team lead, the guy being able to fix no matter issue I encountered on Cisco – at least on the IPsec side…

Now, I’ve had the honor of having to move an EoU/WebAuth config from a 3750 to a 6500. While I was feeling pretty good about myself being able to configure and understand the way to configure EoU and WebAuth on Cisco (EoU is NAC L2, I am using L2 interfaces in a L2 vlan in mode access and use the “ip admission” command on the L2 interface, while WebAuth gets configured as a fallback to 802.1x using the “dot1x fallback dot1x-www” on the L2 interface), I have now realized that I am FAR FAR AWAY from the truth. I’ve woken up on this twisted 6500, where I have the possibily of configuring:

1. 802.1x – fair enough, I am not using 802.1x here anyways

2. NAC Layer 2 IP / LAN Port IP – which can be configured this way (as per Cisco’s KB)

3. LAN Port IP – which, ignoring their own definition from some KBs, now appears as a “Web-Based Authentication” and gets configured…nowhere says _how_

4. NAC Layer 3 IP / NAC Gateway IP – which should be enabled on L3 interfaces

Router(config)# ip admission name webauth1 proxy http

Router(config)# interface fastethernet 5/1

Router(config-if)# ip admission webauth1

Router(config-if)# authentication order webauth

Router(config-if)# exit

Router(config)# ip device tracking

Router(config)# ip admission proxy http login page file disk1:login.htm

Router(config)# ip admission proxy http success page file disk1:success.htm

Router(config)# ip admission proxy http fail page file disk1:fail.htm

Router(config)# ip admission proxy http login expired page file disk1:expired.htm

5. NAC Gateway IP – which is configured as auth-proxy, this way:

Router(config)# ip auth-proxy name webauth http inactivity-time 60

Router(config)#interface GigabitEthernet3/15

Router(config-if)# description WEBAUTH

Router(config-if)# switchport

Router(config-if)# switchport access vlan 502

Router(config-if)# switchport mode access

Router(config-if)# ip access-group www in

Router(config-if)# spanning-tree portfast edge

Router(config-if)# ip auth-proxy webauth

Router(config)# ip access-list extended www

Router(config)# permit tcp any any eq www

Router(config)# deny   ip any any

The “aaa authentication login default radius” is on. The “ip http server” is on. The “aaa authorization auth-proxy default group radius ” is on also.

Now, I am no EoU, WebAuth, and by far no Cisco guru, but, what gives? Why so many auth methods? And, specially, why the method I use to configure one way on a 3750 (WebAuth using the “auth-proxy” set of commands) is configured some other way on 6500 (WebAuth using the “ip admission <name> proxy http” set of commands) – while keeping the “auth-proxy” set of commands – which here do something else. Why is it so hard to be consistent all over your own set of devices?

I have done 802.1x on Summit (netlogin called in there), WebAuth on Summit and WebAuth on HP switches. None of them seemed so damn confusing I am lost.

Tags: auth-proxy, cisco, eap, EAPoverUDP, EoU, HP, passion, radius, Summit, techie, web-auth

It occurred to me today…how ’bout trying an IPcomp scenario? Of course, looking at RFC 3173, I was very excited about running a test and actually viewing Next Header / Protocol = 108, as the IETF guys say.

Basically, the “Compression” part of this IPsec traffic is negotiated just as  any other protocol: AH, ESP, EAP…via IKE, or manually configured on a device. Now…as I’ve got to devices….good question: _what_ device could I use if I want IPsec IPCompression?

Look at this: http://www.vpnc.org/vpnc-ipsec-features-chart.html. Scroll down to “Features (HTML table). The vendors that actually implement this, as per VPN Consortium (and for some of them I could tell you from direct experience), are CheckPoint, Cisco, McAfee, SafeNet, StoneSF and TeamF1. A bit disappointed that I didn’t have the opportunity of working on all of these devices, I am redirecting my attention to what I do have: a big, shiny and fluffy Debian, with Strongswan installed and xfrm module also on.

So, lets get down to business. I have taken the simplest scenario I could think of at the moment, a transport mode scenario, having as Initiator 192.168.0.10 and as Responder 192.168.0.1. These two hosts negotiate 3des-md5-dh2 algorithms, doing PSK authentication. No PFS, no other kinky stuff. Just basic IKEv2 negotiation. The Strongswan config is as simple as possible.

*Note 1 : on strongswan.org people say that IKEv2 does not support compression – I have run a test with IKEv2 and compression and it works very well But, in order to humor the strongswan guys, I have used IKEv1 in the following scenario

*Note 2 : in order to actually _see_ the encapsulated packets, I have used ESP-NULL Encryption for data encapsulation. Yes, I could have used a NetCocoon analyzer, but that – in the next episode

So: IKEv1, Transport mode, Main Mode, Null Encryption, ESP only, IP Comp:

# ipsec status

000 “network1″: 192.168.0.1[192.168.0.1]…192.168.0.10[192.168.0.10]; erouted; eroute owner: #3

000 “network1″:   newest ISAKMP SA: #2; newest IPsec SA: #3;

000

000 #3: “network1″ STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2488s; newest IPSEC; eroute owner

000 #3: “network1″ [email protected] (0 bytes) [email protected] (0 bytes) [email protected] [email protected]; transport

000 #2: “network1″ STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2488s; newest ISAKMP

000

Yes, it worked.

Now…I am not sure what exact compression algorithms this Strongswan daemon has, but I can tell you for sure it uses at least DEFLATE (  RFC 2394 ). Cisco on the other hand, uses only LZS (RFC 2395 ) – as far as I have seen – to be updated if anybody else tested it versus DEFLATE.

The process of actually obtaining this cute ESP packets is the following:

a. get the Data from the upper layers of the TCP stack – doh, we need data

b. compress the Data above using the chosen algorithm – you will notice the CPI – Compression Parameter Index – which has well know identifiers for the well known compression algorithms

c. set the Next Header value of the IPComp header to the layer 4 protocol (in this case, TCP)

d. encapsulate everything in ESP, put on the corresponding SPI, set the Next Header value of the ESP header to 108 (0x6c)

e. wrap it up in IP and… we are all set

— You can admire the ESP of IKEv1 in the screenshot attached

Now, what happens differently with IKEv2? I was telling you before the on Strongswan, IKEv2 and AH is a no-no for the moment, ESP with null encryption does a weird thinggie that vmp was so kind to point it out for me (while I was feeling actually quite happy about myself being able to do an IPComp test via IKEv1).

The thing is that, unlike the (correct) way of doing IPComp in IKEv1 (see the aboe a. to e. steps), IKEv2 implementation of Strongswan does a weird thing:

a. get the Data ..blah-blah

b. compress the Data with whatever compression algorithm and put on the IPComp header with CPI value and all

* c. put on another IP header (the internal one, in case of a tunnel mode scenario)

d. put on the ESP header

e. wrap everything up

— Unfortunately, you CANNOT admire the ESP of IKEV2 in a screenshot, because my current wireshark has no idea on how to do decompression of this type of packet. Once it does, I will update

Tags: checkpoint, cisco, compression, Debian, IETF, IKE, IPComp, ipsec, netcocoon, passion, RFC, Strongswan, techie, xfrm

Dupa cum unii dintre voi stiau, tipul ala mare, blond, ras in cap si cu motocicleta (Alex Militaru), si-a facut firma de catering – Smart Food.

De ce? Pentru ca e super simandicos si pretentios si sclifosit si vrea sa aiba mereu procentajul ideal de grasime versus muschi/oase…si ce-o mai fi in corp. De-aia era mereu nemultumit de mancarea pe care o gaseam primprejur si s-a gandit sa rezolve el problema.

Azi am comandat mai multi de la Smart Food si am fost foooarte multumiti. Preturile sunt cam ca peste tot, dar mancarea e fff buna, te saturi, da’ nu simti ca dai pe-afara, nu e grasa si e gatita ca sa isi pastreze componentele hranitoare. Conceptul Smart Food este enuntat de Alex pe pagina de  …Concept

Smartfood s-a nascut din dorinta de a oferi clientilor un gust aparte si un mod sanatos de preparare a produselor, fara aditivi, fara conservanti si fara compromisuri. Conceptul s-a nascut dupa o experienta personala materializata in cautarea unui echilibru alimentar, incercarea de a ajunge la o greutate ideala, completate de sport. Dupa cativa ani de studiu, 20 de kg mai putin si multiple incercari am ajuns la o formula ce ofera deopotriva mancare gustoasa si sanatoasa….

Alaturi de mancarea etichetata frumos sa nu ne incurcam intre noi am primit si sloganuri speciale, ale mele sunt asa:

Supa crema de ciuperci – IKEv2 si niste terci

Pui balsamic – ai grija la degete

Pentru maine am comandat:

supa de broccoli cu branza de capra
somon aglio olio

Abia astept sa vina!!!

Meniul e la adresa :

http://smartfood.ro/meniu.html

Tags: mancare sanatoasa

When I read it on her facebook page, I was rotfl

— from a friend, now studying Cybernetics in Bonn

“you have the attention of a dirac distribution”…

Tags: geekish

Alex was my QA colleague. Wonderful engineer and wonderful person. And a very demanding person in matters of food, he was never happy with the food we used to get from the local places and restaurants, we always made fun of him being so picky about everything.

So, last year, a few months ago, he decided to solve this problem and opened Smart Food. Today I’ve ordered Mushroom soup and Balsamic chicken with vegetables. I am simply HAPPY, I’ve eaten all the food, very fast, I just couldn’t help myself . Some other colleagues ordered two other types of soups and fish, I have tasted all, of course. My opinion: WONDERFUL.

Finally, good quality food, what Alex and his team had in mind all the time. The Smart Food concept is the following: “Smartfood was born out of the wish to offer our customers a special taste and a healthy way of preparing our products: no additives, no preservatives and no compromises”…read the rest on the Smart Food site.

Alex practiced sports when he was in highschool and gained a lot of weight in the past few years. Over more than a year, he actually eats everyday the type of food he sells to us. When I met him at a coffee shop 2 months ago I simply didn’t recognized him: very very fit, looking much younger and simply gorgeous. I have decided to go to the gym at least 3-4 times a week (for the past month I have went almost 5 days every week) – following his advice and be more careful about what I eat and when I eat. The Smart Food products are very nourishing, but have a big advantage: they help me stay in shape and…boy, I looove shapes…I’m gonna go to the gym and run again at least 6km…as in the past couple of weeks – talk to you later

Tags: fit, food, gym, health, passion