Ya'll security doods. Got a crypto question for ya

Started by LynK, November 14, 2017, 08:04:10 AM

Previous topic - Next topic

LynK

Do crypto ACLs on ASAs HAVE TO MATCH exactly for the tunnel to come online? I always assumed yes, but is it the case? I am getting mixed answers.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

Yes. THEY HAVE TO MATCH EXACTLY.

Exactly as in EXACTLY, same SHA, same DH, same everything. The only difference should be in the direction of the traffic and the ACL used to match it.

This gets messy because by default the ASA has a kitchen sink approach to setting up a VPN and will try everything. You have to get in and carve up precisely what you want to use and be sure that everything else is NOT used.

When your crypto policy has an exact match:

:kidwoohoo:

When there's *just one thing wrong*:

:frustration:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

that is what I thought, and thanks for the quick reply. I havent been in ASA in a little over a year. Took a new job as a senior network engineer, and got thrown into a vpn.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

SimonV

#3
Quote from: LynK on November 14, 2017, 08:04:10 AM
Do crypto ACLs on ASAs HAVE TO MATCH exactly for the tunnel to come online? I always assumed yes, but is it the case? I am getting mixed answers.

The ACL is used to define the Proxy ID. If the other end is not an ASA, it should be configured with manual proxy IDs matching exactly the subnets in your ACL, or Phase 2 will not come up.

Not sure if the VTI tunnels are properly implemented already but that would be a more elegant solution. :)

deanwebb

The VPN crypto policy matching is required even when the ASA is not the other end. I had one VPN between an ASA and a Juniper SRG and we had to match ALL. THE. THINGS.

This was me, trying to find how to get the ASA to match things buried in the SRG GUI and vice-versa:

:morty:

ALL. THE. THINGS.

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Also don't use the tunnel ACL to do filtering. The interface ACLs are for filtering the VPN ACL is to broadly match interesting traffic. I hate it when one of our partners thinks they are doing security by using very specific match ACLs.

-Otanx

dlots

Yes and no:

Each line in an ACL gets it's own ipsec/ikev2 encryption

So your ACEs have to match exactly, but if your entire ACL doesn't match (so 1 ACE doesn't match) all the traffic other than that one ACE will flow nicely I believe.

Probably should test that, but that's how I think it works.

LynK

#7
any of you have any site to site VPNs going to china? I cannot figure this out. I got the VPN to work... but then it fails. I am getting these errors:


5 Nov 14 2017 13:08:34 IP = X.X.X.Y, Duplicate first packet detected.  Ignoring packet.
5 Nov 14 2017 13:08:49 Local:X.X.X.X:500 Remote:X.X.X.Y:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.10.40.106-10.10.40.106 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.10.30.17-10.10.30.17 Protocol: 0 Port Range: 0-65535
3 Nov 15 2017 02:08:37 Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= CMAP001.  Map Sequence Number = 1.


I am getting as far as:

2   IKE Peer: X.X.X.Y
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3



I have tried everything. This company seems to think it is due to the VPN block in china... but I cannot find anything to back that claim as I am getting messages one way. I am not an ASA beginner, and I have deployed a few of them. I think a TAC call might be in place. I am not certain if that is the issue or not.. but it did come up, and then went offline.

The round trip ICMP takes anywhere from 350-470ms to get to this location in china. Thoughts?
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

dlots

That's a pretty bad time even for getting to China.
They using an ASA with IKEv2 also?

Might help to get their config and make sure it matches.

You can probably do a debugg crypto ikev2 or something like that.

I would probably just call TAC and Tshoot while I am on the call.


deanwebb

China is blocking VPNs. Is this going over an MPLS link or the Internet?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

#10
Over the internet. Do you have any documentation that states this? We are running VPN over the internet to china (that is now failing).


Is there any way to run VPN over a different port on the ASA? I am still investigating this.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

https://www.eff.org/deeplinks/2017/08/deciphering-chinas-vpn-ban

More if you search on "China VPN ban". I've run into China stuff before, and things work best if they go over an MPLS link and not the WWW.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Does it fail in phase 1 or phase 2?



If you are not sure you are getting a response, run a (filtered) tcpdump on the external interface of your firewall and filter on udp/500 or udp/4500.

DesertFox

Hi Guys,

I am working on the ISP side. The IPSEC is a no-no in China. You should consider MPLS.

deanwebb

Quote from: DesertFox on November 15, 2017, 05:05:14 AM
Hi Guys,

I am working on the ISP side. The IPSEC is a no-no in China. You should consider MPLS.

Building on that: the reason here is that the public internet is heavily censored and filtered in the People's Republic of China, while business networks going over private MPLS links can have their business-only traffic pass through without the level of censorship that goes with public traffic. PRC wants to control civilian usage, not obstruct businesses.

Not going to comment on whether or not PRC is letting business traffic flow so that it can steal intellectual property. Next question, please.

But it will permit encryption of traffic going across private business links. There are also rules on where centralized control devices are allowed to sit. PRC likes them to be sitting in China, whenever possible. And if you think it's impossible, they smile and insist you can try harder. So, that China location may have a WLC even if other sites of its size use Flex Mobility with the 5508 in the Singapore data center...

ADDED: Russia has similar restrictions on civilian VPN usage.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.