May 04

VPN IPSec pfSense to Cisco ASA

The cross systems VPN can sometimes be a hard nut to crack. And the pfSense <-> Cisco ASA IPSec is one of them. After months of try and errors, contact with Netgate support (which is superb btw) it’s finally working. Got it working with IKEv1 first, but since v1 feels more and more legacy we wanted to upgrade to v2. Here is the configuration:

pfSense side (2.3.3)

Set IKEv2, remote gateway, PSK and the following settings:

And the following advanced settings:
(We are running another tunnel to another pfSense node, and the advance settings is fine that way too)
The advanced settings can be done without breaking the connection.

And finally on the Cisco ASA side (in this case we had FW version 9.1)

P1:

  • crypto ikev2 policy 10 – check the policy place it has to be on top
  •  encryption aes-256
  •  integrity sha
  •  group 5
  •  prf sha
  •  lifetime seconds 86400

P2:

  • crypto map fe-inet-vl100_map 36 set pfs group5
  • crypto map fe-inet-vl100_map 36 set ikev2 ipsec-proposal AES256 – only one item here which is:
    • It is from default settings
    • crypto ipsec ikev2 ipsec-proposal AES256
    •  protocol esp encryption aes-256
    •  protocol esp integrity sha-1 md5
  • crypto map fe-inet-vl100_map 36 set security-association lifetime seconds 28800

 

And we are up and running, thanks fo pfSense community and Netgate support. Sad that I can’t buy you all a beer 🙂

Apr 13

Only allow downloading when VPN is up

During normal circumstances the DL/UL will just continue when a VPN goes up/down. With the new external IP. This is NOT what we want to happen since it rips off the anonymity, so we need to do some stuff to prevent it.

One application that solves this is VP NetMon, a software that can turn off an application when the network change. It’s very simple so even your grandma could set it up. Here is an example of a test setup:

Personally I use a PPTP-VPN (and yes, i know it’s not secure in that matter but I can never believe we need anything more if we are not dealing drugs or shit like that).

With PPTP there is a much better way. We know it uses TCP1723 to negotiate the tunnel and then GRE for data. So with only 3 rules we have a setup that will block the computer if the VPN goes down, i.e. only communicate on the VPN IP.

So we need to:
1) Allow creating the tunnel
2) Allow traffic over GRE
3) Block anything else

Here are example rules in pfSense for this setup, they works like a charm:

Dec 19

How to upgrade ProCurve firmware, WinSCP/SFTP

First, you need to console into the switch and run the following commands:

vlan 1
ip address 192.168.2.2 255.255.255.0
exit
ip ssh
ip ssh filetransfer
password manager user-name <your username> plaintext <your password>

When the above commands are executed, you can use WinSCP to logon to the switch. WinSCP places part-files when uploading as default wich is not allowed, so we have to turn this off in before we connect. This is done via “Tools – Preferences -> Transfers -> Endurance -> Enable transfer resume….. -> Disable”

Rename the downloaded firmware to just primary or secondary. No .swi-ending.

Overwrite the with the same name in the /os-folder on the switch.

Do a “show flash” from shell and you’ll see when you are ready to reboot.

Now type “boot” and have fun 🙂

Dec 15

Reset vs Clear button HP ProCurve

It’s always confusing which one to press to do what. This is it basically:

Clear: Press for 1 second and you will reset your password. The switch will to nothing else, so it can imo be done during working hours.

Reset + Clear: Press both of them and the switch will fall back to it’s factory default config.

reset-clear-procurve