IKEv1 & IKEv2 Capture

It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session initiations with IKEv1 main mode as well as with IKEv2 to see some basic differences.

Of course I know that all VPN protocols are encrypted – hence you won’t see that much data. But at least you can see the basic message flow such as “only 4 messages with IKEv2” while some more for legacy IKEv1. I won’t go into the protocol details at all. I am merely publishing two pcap files so that anyone can have a look at a VPN session initiation. A few Wireshark screenshots complete the blogpost.

Continue reading IKEv1 & IKEv2 Capture

IKE Challenges

A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at Wireshark while no deep protocol knowledge.

Ok, “challenge excepted” ;) here I have some more protocol related challenges for you: With this post I am publishing a pcap which has four site-to-site IPsec VPN connections inside. On the first half of the pcap all four of them are wrongly configured, hence, not working. –> What are the reasons for that? <–

Continue reading IKE Challenges

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

Continue reading IKEv2 IPsec VPN Tunnel Palo Alto < -> FortiGate

IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP.

While it was quite easy to bring the tunnel “up”, I had some problems tunneling both Internet Protocols over the single phase 2 session. The reason was some kind of differences within the IPsec tunnel handling between those two firewall vendors. Here are the details along with more than 20 screenshots and some CLI listings.

Continue reading IPv6 IPsec VPN Tunnel Palo Alto < -> FortiGate

Palo Alto NDP Monitoring

With PAN-OS version 8.0 Palo Alto Networks introduced another IPv6 feature, namely “NDP Monitoring for Fast Device Location“. It basically adds a few information to the existing neighbor cache such as the User-ID (if present) and a “last reported” timestamp. That is: the admin has a new reporting window within the Palo Alto GUI that shows the reported IPv6 addresses along with its MAC addresses. This is really helpful for two reasons: 1) a single IPv6 node can have multiple IPv6 addresses which makes it much more difficult to track them back to the MAC address and 2) if SLAAC is used you now have a central point where you can look up the MAC-IPv6 bindings (comparable to the DHCP server lease for legacy IPv4).

Continue reading Palo Alto NDP Monitoring

PAN NGFW IPv6 NDP RA RDNSS & DNSSL

Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how Windows and Linux react on it.

Continue reading PAN NGFW IPv6 NDP RA RDNSS & DNSSL

Internetanschlusswechsel innerhalb der Telekom: Ein Albtraum

Anstelle von technischen Details heute mal ein Erfahrungsbericht. Vielleicht sollte ich eher sagen: ein Odysseebericht. Für einen meiner Kunden habe ich den Business-Internetanschluss umgezogen. “Einfache Sache”, so dachte ich anfangs, zumal der alte und neue Anschluss beide bei dem gleichen Anbieter liegen: der Telekom. Von einem “Company Connect” der T-Systems (ok, doch nicht exakt Telekom) hin zu einem DeutschlandLAN Connect IP.

Es war fürchterlich:

Continue reading Internetanschlusswechsel innerhalb der Telekom: Ein Albtraum

Juniper ScreenOS IPv4 vs. IPv6 Throughput Tests

And finally the throughput comparison of IPv6 and legacy IP on a Juniper ScreenOS firewall. Nobody needs this anymore since they are all gone. ;) But since I did the same speedtests for Palo Alto and FortiGates I was interested in the results here as well.

Continue reading Juniper ScreenOS IPv4 vs. IPv6 Throughput Tests

Juniper ScreenOS VPN Speedtests

Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same Iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different phase1/2 proposals = crypto algorithms. The results were as expected with one exception.

Continue reading Juniper ScreenOS VPN Speedtests

Juniper ScreenOS Initial Cleanup Config

I still like the Juniper ScreenOS firewalls such as the SSG 5 or the SSG 140. However, they are End of Everything (EoE) and not used at the customers anymore. But they still do their job in basic networking (static/dynamic routing such as OSPF & BGP, IPv6, NAT), basic firewalling (access policies), and IPsec VPN. Hence I am using a couple of SSGs in my lab when playing with routing protocols and so on.

After a factory reset of those firewalls there are some default settings such as zones at a few interfaces and default IP addresses. Therefore I put the following commands together in order to cleanup the default config to have only IP addresses and default routes which is a good starting point for lab configurations. Let’s go:

Continue reading Juniper ScreenOS Initial Cleanup Config

Dump1090 ADS-B Stats

Genau das Richtige für mich: Viele Statistiken bzgl. des ADS-B Empfangs. Konkret laufen diese dump1090-tools lokal auf dem Raspberry Pi und werten das Log von dump1090-mutability aus. (Siehe meinem letzten Post zur Installation von dump1090.) Vorallem die Statistiken über die Anzahl der empfangenen Flugzeuge sowie den Empfangsbereich sind einfach zu verstehen und sehr interessant.

Die Installation dieser Tools ist ebenfalls sehr einfach – nur wenige Befehle. (Auch wenn ein alter Raspberry Pi 1 B dann über 30 Minuten zum Ausführen braucht.) Ziemlich out-of-the-box werden dann im 5 Minuten Takt neue RRDtool Grafiken erzeugt. Los geht’s:

Continue reading Dump1090 ADS-B Stats

ADS-B am Raspberry Pi: dump1090-mutability

Bereits seit einigen Jahren setze ich einen DVB-T Stick zum Empfang von ADS-B Daten an einem Raspberry Pi ein. Damals habe ich erklärt, wie man die Linux Software dump1090 dafür verwendet. Der seit dem von mir verwendete Fork auf GitHub von MalcolmRobb wird allerdings seit Jahren nicht mehr weiterentwickelt. Nach einiger Recherche bin ich auf den Fork dump1090-mutability gestoßen, welcher sich von MalcolmRobbs ableitet. “It adds new functionality and is designed to be built as a Debian/Raspbian package.”

Tatsächlich lässt sich dieses Tool sehr einfach installieren, was ich nachfolgend gerne erläutern möchte. Die erweiterten Funktionlitäten sind z.B: die Logging-Möglichkeiten, mit denen sich Statistiken erzeugen lassen. Hierüber wird es einen extra Blogpost geben.

Continue reading ADS-B am Raspberry Pi: dump1090-mutability