Saturday, March 30, 2019

Cisco ASA 5500-X Password Recovery in Multiple Context Mode

Here's the link for doing a password recovery procedure on different Cisco ASA firewall platform. There's a slight difference between the ASA5500 first-gen firewall and ASA5500-X series (where you type Yes). This is the password recovery which I performed on a Cisco ASA55555-X in Multiple Context mode.

ciscoasa/pri/act(config)# changeto context admin
ciscoasa/pri/act/admin(config)# show run
Command authorization failed


You need to disable failover under the system context on each firewall to prevent the configuration from being synchronized and just focus troubleshooting on the Primary unit.

ciscoasa/sec/stby(config)# no failover

ciscoasa/pri/act(config)# no failover
ciscoasa/pri/actNoFailover(config)# write memory      // SAVE CONFIG


Reboot the ASA either by issuing reload under system context or press and hold the power button on the appliance. Press Escape (Esc beside F1 key) to go into ROMMON mode.

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Boot in 10 seconds.
                                          

Boot interrupted.

Management0/0
Link is UP
MAC Address: 84b2.6191.1234


Use ? for help.
rommon #0> confreg

Current Configuration Register: 0x00000001     // THIS THE NORMAL CONFIG REGISTER SETTING; WILL LOAD THE START UP CONFIG
Configuration Summary:
  boot default image from Flash

Do you wish to change this configuration? y/n [n]: n    // TYPE n FOR NO OR JUST PRESS ENTER TO ACCEPT DEFAULT VALUE

rommon #1> confreg 0x41      // THIS WILL BYPASS THE STARTUP-CONFIG

Update Config Register (0x41) in NVRAM...

rommon #2> confreg

Current Configuration Register: 0x00000041
Configuration Summary:
  boot default image from Flash
  ignore system configuration

Do you wish to change this configuration? y/n [n]: y     // TAKE NOTE OF THE YES
enable boot to ROMMON prompt? y/n [n]:  <PRESS ENTER TO ACCEPT DEFAULT VALUE>
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000041
Configuration Summary:
  boot ROMMON
  ignore system configuration

Update Config Register (0x41) in NVRAM...

rommon #4> boot     // REBOOT APPLIANCE
Launching BootLoader...
Boot configuration file contains 1 entry.


Loading disk0:/asa982-35-smp-k8.bin... Booting...
Platform ASA5555

Loading...

<SNIP>


This platform has an ASA5555 VPN Premium license.

Creating context 'system'... Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
Done. (0)
Creating context 'null'... Done. (507)

Cisco Adaptive Security Appliance Software Version 9.8(2)35 <system>

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************
Cisco Adaptive Security Appliance Software, version 9.8
Copyright (c) 1996-2018 by Cisco Systems, Inc.
For licenses and notices for open source software used in this product, please visit
http://www.cisco.com/go/asa-opensource

                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Ignoring the rest of the file
Ignoring startup configuration as instructed by configuration register.

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.

ciscoasa> enable      // ASA WILL LOAD A BLANK OR DEFAULT CONFIG
Password: <ENTER>

ciscoasa# show run
: Saved

:
: Serial Number: FCH19391234
: Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)35 <system>    // YOU'LL BE IN SYSTEM CONTEXT
!
hostname ciscoasa
enable password $sha512$5000$4WmfnCPFaydT+Fowjif0Cg==$ORJElavY7LebyP0cYjYmhQ== pbkdf2
no mac-address auto
!
interface GigabitEthernet0/0
 shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface GigabitEthernet0/4
 shutdown
!
interface GigabitEthernet0/5
 shutdown
!
interface GigabitEthernet0/6
 shutdown
!
interface GigabitEthernet0/7
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 65536
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
ssh stricthostkeycheck
console timeout 0
!
tls-proxy maximum-session 1000
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:00000000000000000000000000000000
: end


ciscoasa# copy startup-config running-config      // LOAD THE STARTUP-CONFIG
Destination filename [running-config]?

.INFO: Non-failover interface config is cleared on GigabitEthernet0/7 and its sub-interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (1)
...
Cryptochecksum (unchanged): 3e88bc1b fd82b3a9 6ee910d2 343ce7ef
INFO: Context admin was created with URL disk0:/admin.cfg        
INFO: Admin context will take some time to come up .... please wait.    // ASA WILL LOAD THE admin AND OTHER CONFIGURED CONTEXTS

ciscoasa/pri/act# .

    No Active mate detected

ciscoasa/pri/act# configure terminal
ciscoasa/pri/act(config)# no failover     // DISABLE FAILOVER AND OVERWRITE PASSWORDS
ciscoasa/pri/actNoFailover(config)#
ciscoasa/pri/actNoFailover(config)# aaa-server ISE protocol tacacs+
ciscoasa/pri/actNoFailover(config)# aaa-server ISE (management) host 192.168.1.100
ciscoasa/pri/actNoFailover(config)# key cisco123
ciscoasa/pri/actNoFailover(config)# username enable_15 password cisco privilege 15   // THIS IS A LOCAL USER FALLBACK WHEN GETTING THE ERROR:  
Username 'enable_15' not in LOCAL database
Command authorization failed
ciscoasa/pri/actNoFailover(config)# aaa authentication ssh console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication enable console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication http console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa authentication serial console ISE LOCAL
ciscoasa/pri/actNoFailover(config)# aaa accounting command ISE
ciscoasa/pri/actNoFailover(config)# aaa authorization exec authentication-server auto-enable   // THIS WILL BYPASS TYPING enable AND GO DIRECTLY TO  PRIVILEGE EXEC MODE
ciscoasa/pri/actNoFailover(config)# aaa authorization command ISE LOCAL
ciscoasa/pri/actNoFailover/admin(config)# sh run aaa
Command authorization failed      // TACACS+/AAA KICKED IN


admin@ciscoasa's password:      // SSH TO THE ASA
User admin logged in to ciscoasa
Logins over the last 1 days: 1. 
Failed logins since the last login: 0. 
Type help or '?' for a list of available commands.

ciscoasa/pri/actNoFailover/admin#     // PROMPT GOES DIRECTLY TO PRIVILEGE EXEC
ciscoasa/pri/actNoFailover/admin# changeto system
ciscoasa/pri/actNoFailover# configure terminal     
ciscoasa/pri/actNoFailover(config)# no config-register    // REVERT TO ORIGINAL CONFIG REGISTER (0x1)
ciscoasa/pri/actNoFailover(config)# failover
ciscoasa/pri/act(config)# write memory     // SAVE CONFIFG
ciscoasa/pri/act(config)# show version

<SNIP>

Configuration register is 0x41 (will be 0x1 at next reload)

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 04:12:09.307 UTC Fri Mar 22 2019


<REBOOT ASA>


ciscoasa/pri/act/admin# show version

<SNIP>


This platform has an ASA5555 VPN Premium license.

Serial Number: FCH19391234
Running Permanent Activation Key: 0xca3de65c 0x28092655 0xa10195b8 0xd4887824 0x801b1234
Configuration register is 0x1

Posted by at No comments:

Sunday, February 3, 2019

Removing Cisco ASA Firewall Security Context

To configure a Cisco ASA firewall Security Context, you'll need a Security Context License applied on the ASA. The maximum number of Security Contexts supported would depend on the ASA platform.

ciscoasa# configure terminal
ciscoasa(config)# activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0x8b48b8b0 0xf317c0b5
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
   running permanent activation key: Restricted(R)
   new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm]
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.
ciscoasa(config)#
ciscoasa(config)# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 5 mins 16 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab5a.d200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab5a.d201, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab5a.d202, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab5a.d203, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 03:16:54.199 UTC Wed Sep 19 2018
ciscoasa(config)#
ciscoasa(config)# reload     // REBOOT THE ASA FOR SECURITY CONTEXT LICENSE TO TAKE EFFECT
System config has been modified. Save? [Y]es/[N]o: 
Cryptochecksum: 98cf2135 92873d13 a11da19a cf9d6707

1995 bytes copied in 1.650 secs (1995 bytes/sec)
Proceed with reload? [confirm]
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system



***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart


ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 59 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab5a.d200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab5a.d201, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab5a.d202, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab5a.d203, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: 
ciscoasa(config)#
ciscoasa(config)# mode ?

configure mode commands/options:
  multiple   Multiple mode; mode with security contexts
  noconfirm  Do not prompt for confirmation
  single     Single mode; mode without security contexts
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]    
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash

Converting the configuration - this may take several minutes for a large configuration

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
Restarting system.
machine restart


ciscoasa# changeto system
ciscoasa# configure terminal
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)# hostname ? 

configure mode commands/options:
  WORD < 64 char  Host name for this system. A hostname must start and end with
                  a letter or digit and have as interior characters only
                  letters, digits, or a hyphen.
ciscoasa(config)# prompt ?

configure mode commands/options:
  context   Display the context in the session prompt (multimode only)
  domain    Display the domain in the session prompt
  hostname  Display the hostname in the session prompt
  priority  Display the priority in the session prompt
  state     Display the traffic passing state in the session prompt
ciscoasa(config)# prompt hostname context
ciscoasa(config)#
ciscoasa(config)# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
 shutdown
!
interface GigabitEthernet1
 shutdown
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!            

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2812193d036302b9b304ad8b1772c974
: end


Ensure the ASA interfaces are unshut (no shutdown) in System Context.
ciscoasa(config)# interface g0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface g1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# int g1.444
ciscoasa(config-subif)# vlan 444
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)#
ciscoasa(config-subif)# context TEST-1
Creating context 'TEST-1'... Done. (2)

ciscoasa(config-ctx)# allocate-interface g0
ciscoasa(config-ctx)# allocate-interface g1.444
ciscoasa(config-ctx)# config-url disk0:/TEST-1.cfg

WARNING: Could not fetch the URL disk0:/TEST-1.cfg
INFO: Creating context with default config

ciscoasa(config-ctx)# exit
ciscoasa(config)# end
ciscoasa# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
!
interface GigabitEthernet1
!
interface GigabitEthernet1.444
 vlan 444
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

context TEST-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1.444
  config-url disk0:/TEST-1.cfg

!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e0ee857ea073cb0043c19d47245179da
: end

 
ciscoasa# changeto context TEST-1
ciscoasa/TEST-1#
ciscoasa/TEST-1# show run
: Saved
:
ASA Version 8.4(2) <context>
!
hostname TEST-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1.444
 no nameif
 no security-level
 no ip address
!
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:2cb2107b9725b16aaf94ceb8f71ea75b
: end


In order to remove a Security Context, go under the System Context and simply issue a no context <CONTEXT NAME> and make sure to delete the context config in flash memory (disk0).


ciscoasa(config)# no context TEST-1
WARNING: Removing context 'TEST-1'
Proceed with removing the context? [confirm]
Removing context 'TEST-1' (2)... Done
ciscoasa(config)# delete config-url disk0:/TEST-1.cfg
ciscoasa(config)# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
no mac-address auto
!
interface GigabitEthernet0
!
interface GigabitEthernet1
!
interface GigabitEthernet1.444
 vlan 444
!
interface GigabitEthernet2
 shutdown
!
interface GigabitEthernet3
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:f3ea19991e889c8988eef5380a4c345c
: end
 
Posted by at No comments:

Saturday, January 5, 2019

IPSec IKE Phase 1 Pre-Shared Key Exchange

I was researching if the pre-shared key exchange between two IPSec VPN SA is encrypted and not sent in clear text. According to RFC 2409, the pre-shared key is protected by the Diffie-Hellman algorithm. Below are some snippets from the said RFC.


 There are two basic methods used to establish an authenticated key
   exchange: Main Mode and Aggressive Mode. Each generates authenticated
   keying material from an ephemeral Diffie-Hellman exchange. Main Mode
   MUST be implemented; Aggressive Mode SHOULD be implemented. In
   addition, Quick Mode MUST be implemented as a mechanism to generate
   fresh keying material and negotiate non-ISAKMP security services. In
   addition, New Group Mode SHOULD be implemented as a mechanism to
   define private groups for Diffie-Hellman exchanges. Implementations
   MUST NOT switch exchange types in the middle of an exchange.


   Four different authentication methods are allowed with either Main
   Mode or Aggressive Mode-- digital signature, two forms of
   authentication with public key encryption, or pre-shared key. The
   value SKEYID is computed seperately for each authentication method.


SKEYID is a string derived from secret material known only to the
     active players in the exchange.

For pre-shared keys:       SKEYID = prf(pre-shared-key, Ni_b | Nr_b)


   The result of either Main Mode or Aggressive Mode is three groups of
   authenticated keying material:

      SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)
      SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)
      SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

   and agreed upon policy to protect further communications. The values
   of 0, 1, and 2 above are represented by a single octet. The key used
   for encryption is derived from SKEYID_e in an algorithm-specific
   manner (see appendix B).

   To authenticate either exchange the initiator of the protocol
   generates HASH_I and the responder generates HASH_R where:

    HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
    HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )

   For authentication with digital signatures, HASH_I and HASH_R are
   signed and verified; for authentication with either public key
   encryption or pre-shared keys, HASH_I and HASH_R directly
   authenticate the exchange.  The entire ID payload (including ID type,
   port, and protocol but excluding the generic header) is hashed into
   both HASH_I and HASH_R.


I did a quick lab and perform a site-to-site IPSec VPN between a Cisco IOS router and Cisco ASA firewall.


R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            200.1.1.2       YES manual up                    up     
FastEthernet1/0            unassigned      YES unset  administratively down down   
FastEthernet1/1            192.168.200.1   YES manual up                    up  
R1#show run | sec crypto
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key 6 cisco123 address 100.1.1.2     
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
 mode tunnel
crypto map CMAP 1 ipsec-isakmp
 set peer 100.1.1.2
 set transform-set TSET
 match address 100
 crypto map CMAP


ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           100.1.1.2       YES manual up                    up 
GigabitEthernet1           unassigned      YES unset  administratively down up 
GigabitEthernet2           unassigned      YES unset  administratively down up 

ciscoasa# show run crypto
crypto ipsec ikev1 transform-set TSET esp-aes esp-sha-hmac
crypto map CMAP 1 match address 100
crypto map CMAP 1 set peer 200.1.1.2
crypto map CMAP 1 set ikev1 transform-set TSET
crypto map CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ciscoasa# sh run tunnel-group
tunnel-group 200.1.1.2 type ipsec-l2l
tunnel-group 200.1.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco123
 
R1#ping 100.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.2, timeout is 2 seconds:

*Dec 19 14:14:29.711: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 200.1.1.2:500, remote= 100.1.1.2:500,
    local_proxy= 200.1.1.2/255.255.255.255/256/0,
    remote_proxy= 100.1.1.2/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 14:14:29.731: ISAKMP:(0): SA request profile is (NULL)
*Dec 19 14:14:29.731: ISAKMP: Created a peer struct for 100.1.1.2, peer port 500
*Dec 19 14:14:29.735: ISAKMP: New peer created peer = 0x6A8D370C peer_handle = 0x8000000E
*Dec 19 14:14:29.735: ISAKMP: Locking peer struct 0x6A8D370C, refcount 1 for isakmp_initiator
*Dec 19 14:14:29.739: ISAKMP: local port 500, remote port 500
*Dec 19 14:14:29.739: ISAKMP: set new node 0 to QM_IDLE     
*Dec 19 14:14:29.743: ISAKMP:(0):insert sa successfully sa = 6A934514
*Dec 19 14:14:29.743: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 19 14:14:29.747: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Dec 19 14:14:29.751: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Dec 19 14:14:29.755: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Dec 19 14:14:29.755: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 19 14:14:29.759: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Dec 19 14:14:29.759: ISAKMP:(0): beginning Main Mode exchange
*Dec 19 14:14:29.763: ISAKMP:(0): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 19 14:14:29.763: ISAKMP:(0):Sending an IKE IPv4 Packet..
*Dec 19 14:14:31.415: ISAKMP (0): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 19 14:14:31.419: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:31.419: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
*Dec 19 14:14:31.427: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 19 14:14:31.431: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.431: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 14:14:31.435: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 19 14:14:31.435: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.435: ISAKMP:(0): processing IKE frag vendor id payload
*Dec 19 14:14:31.439: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Dec 19 14:14:31.439: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:31.443: ISAKMP:(0): local preshared key found
*Dec 19 14:14:31.443: ISAKMP : Scanning profiles for xauth ...
*Dec 19 14:14:31.447: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 19 14:14:31.447: ISAKMP:      encryption AES-CBC
*Dec 19 14:14:31.447: ISAKMP:      keylength of 128
*Dec 19 14:14:31.451: ISAKMP:      hash SHA
*Dec 19 14:14:31.451: ISAKMP:      default group 2
*Dec 19 14:14:31.451: ISAKMP:      auth pre-share
*Dec 19 14:14:31.451: ISAKMP:      life type in seconds
*Dec 19 14:14:31.451: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Dec 19 14:14:31.451: ISAKMP:(0):atts are acceptable. Next payload is 0
*Dec 19 14:14:31.451: ISAKMP:(0):Acceptable atts:actual life: 0
*Dec 19 14:14:31.451: ISAKMP:(0):Acceptable atts:life: 0
*Dec 19 14:14:31.451: ISAKMP:(0):Fill atts in sa vpi_length:4
*Dec 19 14:14:31.451: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Dec 19 14:14:31.451: ISAKMP:(0):Returning Actual lifetime: 86400
*Dec 19 14:14:31.451: ISAKMP:(0)::Started lifetime timer: 86400.
*Dec 19 14:14:31.451: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.451: ISAK.!MP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 19 14:14:31.451: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 19 14:14:31.451: ISAKMP:(0): processing vendor id payload
*Dec 19 14:14:31.451: ISAKMP:(0): processing IKE frag vendor id payload
*Dec 19 14:14:31.451: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Dec 19 14:14:31.451: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:31.451: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
*Dec 19 14:14:31.455: ISAKMP:(0): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 19 14:14:31.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 19 14:14:31.455: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:31.455: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
*Dec 19 14:14:32.675: ISAKMP (0): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec 19 14:14:32.675: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:32.675: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
*Dec 19 14:14:32.675: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 19 14:14:32.719: ISAKMP:(0): processing NONCE payload. message ID = 0
*Dec 19 14:14:32.719: ISAKMP:(0):found peer pre-shared key matching 100.1.1.2
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID is Unity
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID seems Unity/DPD but major 111 mismatch
*Dec 19 14:14:32.723: ISAKMP:(1001): vendor ID is XAUTH
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001): speaking to another IOS box!
*Dec 19 14:14:32.723: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.723: ISAKMP:(1001):vendor ID seems Unity/DPD but hash mismatch
*Dec 19 14:14:32.727: ISAKMP:received payload type 20
*Dec 19 1.4:14:32.727: ISAKMP (1001): His hash no match - this node outside NAT
*Dec 19 14:14:32.727: ISAKMP:received payload type 20
*Dec 19 14:14:32.727: ISAKMP (1001): No NAT Found for self or peer
*Dec 19 14:14:32.727: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:32.727: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4
*Dec 19 14:14:32.727: ISAKMP:(1001):Send initial contact
*Dec 19 14:14:32.727: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Dec 19 14:14:32.731: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 200.1.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Dec 19 14:14:32.731: ISAKMP:(1001):Total payload length: 12
*Dec 19 14:14:32.731: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 19 14:14:32.731: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.731: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:32.731: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5
*Dec 19 14:14:32.847: ISAKMP (1001): received packet from 100.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 19 14:14:32.847: ISAKMP:(1001): processing ID payload. message ID = 0
*Dec 19 14:14:32.851: ISAKMP (1001): ID payload
        next-payload : 8
        type         : 1
        address      : 100.1.1.2
        protocol     : 17
        port         : 0
        length       : 12
*Dec 19 14:14:32.855: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 19 14:14:32.855: ISAKMP:(1001): processing HASH payload. message ID = 0
*Dec 19 14:14:32.859: ISAKMP:received payload type 17
*Dec 19 14:14:32.863: ISAKMP:(1001): processing vendor id payload
*Dec 19 14:14:32.863: ISAKMP:(1001): vendor ID is DPD
*Dec 19 14:14:32.863: ISAKMP:(1001):SA authentication status: authenticated
*Dec 19 14:14:32.863: ISAKMP:(1001):SA has been authenticated with 100.1.1.2
*Dec 19 14:14:32.863: ISAKMP: Tryi.
Success rate is 20 percent (1/5), round-trip min/avg/max = 140/140/140 ms
R1#ng to insert a peer 200.1.1.2/100.1.1.2/500/,  and inserted successfully 6A8D370C.
*Dec 19 14:14:32.863: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6
*Dec 19 14:14:32.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6
*Dec 19 14:14:32.867: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 19 14:14:32.867: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
*Dec 19 14:14:32.871: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1599725558
*Dec 19 14:14:32.875: ISAKMP:(1001):QM Initiator gets spi
*Dec 19 14:14:32.875: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE     
*Dec 19 14:14:32.875: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.875: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_INTERNAL, IKE_I
R1#NIT_QM
*Dec 19 14:14:32.875: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Dec 19 14:14:32.875: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 19 14:14:32.875: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Dec 19 14:14:32.947: ISAKMP (1001): received packet from 100.1.1.2 dport 500 sport 500 Global (I) QM_IDLE     
*Dec 19 14:14:32.951: ISAKMP:(1001): processing HASH payload. message ID = 1599725558
*Dec 19 14:14:32.951: ISAKMP:(1001): processing SA payload. message ID = 1599725558
*Dec 19 14:14:32.951: ISAKMP:(1001):Checking IPSec proposal 1
*Dec 19 14:14:32.951: ISAKMP: transform 1, ESP_AES
*Dec 19 14:14:32.951: ISAKMP:   attributes in transform:
*Dec 19 14:14:32.951: ISAKMP:      SA life type in seconds
*Dec 19 14:14:32.951: ISAKMP:      SA life duration (basic) of 3600
*Dec 19 14:14:32.951: ISAKMP:      SA life type in kilobytes
*Dec 19 14:14:32.951: ISAKMP:      SA life duration (VPI) of  0x0 0x46
R1#0x50 0x0
*Dec 19 14:14:32.951: ISAKMP:      encaps is 1 (Tunnel)
*Dec 19 14:14:32.951: ISAKMP:      authenticator is HMAC-SHA
*Dec 19 14:14:32.951: ISAKMP:      key length is 128
*Dec 19 14:14:32.951: ISAKMP:(1001):atts are acceptable.
*Dec 19 14:14:32.951: IPSEC(validate_proposal_request): proposal part #1
*Dec 19 14:14:32.951: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 200.1.1.2:0, remote= 100.1.1.2:0,
    local_proxy= 200.1.1.2/255.255.255.255/256/0,
    remote_proxy= 100.1.1.2/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Dec 19 14:14:32.951: Crypto mapdb : proxy_match
        src addr     : 200.1.1.2
        dst addr     : 100.1.1.2
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 19 14:14:32.955: ISAKMP:(1001): processing NONCE payload. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001): processing ID payload
R1#. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001): processing ID payload. message ID = 1599725558
*Dec 19 14:14:32.955: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 19 14:14:32.955: ISAKMP:(1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Dec 19 14:14:32.955: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 19 14:14:32.955: Crypto mapdb : proxy_match
        src addr     : 200.1.1.2
        dst addr     : 100.1.1.2
        protocol     : 256
        src port     : 0
        dst port     : 0
*Dec 19 14:14:32.955: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CMAP
*Dec 19 14:14:32.959: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 100.1.1.2
*Dec 19 14:14:32.967: IPSEC(create_sa): sa created,
  (sa) sa_dest= 200.1.1.2, sa_proto= 50,
    sa_spi= 0x3CE36FDB(1021538267),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 1
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 19 14:14:32.967: IPSEC
R1#(create_sa): sa created,
  (sa) sa_dest= 100.1.1.2, sa_proto= 50,
    sa_spi= 0x5D1C90F(97634575),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2
    sa_lifetime(k/sec)= (4608000/3600)
*Dec 19 14:14:32.971: IPSEC: Expand action denied, notify RP
*Dec 19 14:14:32.971:  ISAKMP: Failed to find peer index node to update peer_info_list
*Dec 19 14:14:32.975: ISAKMP:(1001):Received IPSec Install callback... proceeding with the negotiation
*Dec 19 14:14:32.975: ISAKMP:(1001): sending packet to 100.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE     
*Dec 19 14:14:32.979: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Dec 19 14:14:32.979: ISAKMP:(1001):deleting node 1599725558 error FALSE reason "No Error"
*Dec 19 14:14:32.979: ISAKMP:(1001):Node 1599725558, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Dec 19 14:14:32.979: ISAKMP:(1001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_PHASE2_COMPLETE

R1#show crypto isakmp sa  
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
100.1.1.2       200.1.1.2       QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA
  

The Wireshark packet capture showed the IKE Phase 1 authentication is pre-shared key (packet no. 4). The other authentication method is to use a digital certificate (PKI).


The Main Mode (MM) message #2 (packet no. 8) showed the key exchange data is already hashed (using the DH algorithm).



Posted by at No comments:
Subscribe to: Posts (Atom)